🔐 Add Gitleaks secret scanning workflow and config

Cardeal · Cardeal · commit 6b05d68a96a0 · 2025-12-22T17:44:09.000-03:00
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
@@ -0,0 +1,41 @@
+# Gitleaks Secret Scanner - GitHub Actions Workflow
+# Add this file to: .github/workflows/gitleaks.yml in each repository
+
+name: Gitleaks Secret Scan
+
+on:
+  push:
+    branches: ["main", "master", "develop"]
+  pull_request:
+    branches: ["main", "master", "develop"]
+  schedule:
+    # Scan daily at 2am UTC (substitute for GitGuardian 24/7 monitoring)
+    - cron: "0 2 * * *"
+
+jobs:
+  gitleaks:
+    name: 🔐 Secret Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Full history for complete scan
+
+      - name: Run Gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # Optional: Report to SARIF for GitHub Security tab
+          GITLEAKS_ENABLE_UPLOAD_ARTIFACT: true
+          GITLEAKS_ENABLE_SUMMARY: true
+
+      # Optional: Notify on Slack when secrets are found
+      # - name: Notify Slack on Failure
+      #   if: failure()
+      #   uses: 8398a7/action-slack@v3
+      #   with:
+      #     status: ${{ job.status }}
+      #     fields: repo,message,commit,author
+      #   env:
+      #     SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -0,0 +1,43 @@
+# Gitleaks Configuration
+# Add this file to the root of each repository as: .gitleaks.toml
+
+title = "Lunes Platform Gitleaks Config"
+
+[extend]
+# Use default rules
+useDefault = true
+
+# Allowlist - paths/patterns to ignore
+[allowlist]
+description = "Allowlisted files and patterns"
+paths = [
+    '''node_modules''',
+    '''vendor''',
+    '''\.git''',
+    '''package-lock\.json''',
+    '''yarn\.lock''',
+    '''pnpm-lock\.yaml''',
+    '''Cargo\.lock''',
+    '''\.env\.example''',
+    '''\.env\.sample''',
+    '''test/''',
+    '''tests/''',
+    '''__tests__/''',
+    '''\.test\.''',
+    '''\.spec\.''',
+    '''mock''',
+    '''fixture'''
+]
+
+# Custom rules for Lunes-specific patterns
+[[rules]]
+id = "lunes-wallet-key"
+description = "Lunes Wallet Private Key"
+regex = '''lunes[_-]?(?:private[_-]?key|secret)['":\s]*[=:]\s*['"]?[A-Za-z0-9+/=]{32,}['"]?'''
+tags = ["key", "lunes", "wallet"]
+
+[[rules]]
+id = "substrate-seed-phrase"
+description = "Substrate/Polkadot Seed Phrase"
+regex = '''(?i)(seed|mnemonic)['":\s]*[=:]\s*['"]?(\w+\s+){11,23}\w+['"]?'''
+tags = ["seed", "substrate", "polkadot"]
