Merge branch 'add-secret-scanning' into 'main'

security: add gitleaks secret scanning to prevent secret leaks

Closes #159

See merge request postgres-ai/postgresai!224

Author: Sarumyan

.githooks/pre-commit

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+# Pre-commit hook: scan staged files for secrets using gitleaks
+# Activate with: git config core.hooksPath .githooks
+
+set -euo pipefail
+
+if ! command -v gitleaks &>/dev/null; then
+  echo "❌ gitleaks not found — install it to enable pre-commit secret scanning:" >&2
+  echo "   https://github.com/gitleaks/gitleaks#installing" >&2
+  echo "   (macOS: brew install gitleaks)" >&2
+  exit 1
+fi
+
+echo "🔍 Running gitleaks secret scan on staged files..."
+
+if ! gitleaks protect --staged \
+     --config "$(git rev-parse --show-toplevel)/gitleaks.toml" \
+     --verbose --redact 2>&1; then
+  echo "" >&2
+  echo "❌ Secret detected in staged files. Commit blocked." >&2
+  echo "   Review the output above and remove/rotate the secret." >&2
+  echo "   To add a false positive to the allowlist, edit gitleaks.toml." >&2
+  exit 1
+fi
+
+echo "✅ No secrets detected."

.gitlab-ci.yml

@@ -18,13 +18,91 @@ default:
   interruptible: true
 
 stages:
+  - security
   - build
   - test
   - publish
   - preview
 
 # Build images from current code for e2e tests
 # Images are pushed to GitLab Container Registry and pulled by test jobs
+
+# ─── Secret Scanning ───────────────────────────────────────────────────────────
+gitleaks:
+  stage: security
+  image:
+    name: ghcr.io/gitleaks/gitleaks:v8.30.0@sha256:105ac66a57b2bb8afb61a3b8a5dcc4817773d03724a7e8a515214cfe58225556
+    entrypoint: [""]  # Override default entrypoint so GitLab CI can run shell commands
+  variables:
+    GIT_DEPTH: "0"  # Full clone required — shallow clone silently misses commit history
+  script:
+    - |
+      # Scope scan to new commits only — avoids re-scanning repo history on every run
+      if [[ "${CI_MERGE_REQUEST_DIFF_BASE_SHA:-}" =~ ^[0-9a-f]{40}$ ]]; then
+        # MR pipeline: scan only commits added in this MR
+        gitleaks detect --source . --config gitleaks.toml --verbose --redact \
+          --report-path gitleaks-report.json --report-format json \
+          --log-opts="${CI_MERGE_REQUEST_DIFF_BASE_SHA}..${CI_COMMIT_SHA}"
+      elif [ -n "${CI_COMMIT_BEFORE_SHA:-}" ] && \
+           [ "${CI_COMMIT_BEFORE_SHA}" != "0000000000000000000000000000000000000000" ]; then
+        # Push to existing branch: scan only new commits
+        gitleaks detect --source . --config gitleaks.toml --verbose --redact \
+          --report-path gitleaks-report.json --report-format json \
+          --log-opts="${CI_COMMIT_BEFORE_SHA}..${CI_COMMIT_SHA}"
+      else
+        # New branch or force push: scan commits unique to this branch only
+        MERGE_BASE=$(git merge-base "origin/${CI_DEFAULT_BRANCH:-main}" "$CI_COMMIT_SHA" 2>/dev/null || echo "")
+        if [ -n "$MERGE_BASE" ] && [ "$MERGE_BASE" != "$CI_COMMIT_SHA" ]; then
+          LOG_OPTS="${MERGE_BASE}..${CI_COMMIT_SHA}"
+        else
+          # Fallback: scan only HEAD commit (safe — bounded to a single commit)
+          LOG_OPTS="${CI_COMMIT_SHA}^!"
+        fi
+        gitleaks detect --source . --config gitleaks.toml --verbose --redact \
+          --report-path gitleaks-report.json --report-format json \
+          --log-opts="$LOG_OPTS"
+      fi
+  artifacts:
+    paths:
+      - gitleaks-report.json
+    when: on_failure
+    expire_in: 7 days
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_PIPELINE_SOURCE == "push"
+  allow_failure: false
+# ───────────────────────────────────────────────────────────────────────────────
+
+# ─── Gitleaks Rule + Allowlist Tests ──────────────────────────────────────────
+gitleaks-rule-test:
+  stage: security
+  image:
+    name: ghcr.io/gitleaks/gitleaks:v8.30.0@sha256:105ac66a57b2bb8afb61a3b8a5dcc4817773d03724a7e8a515214cfe58225556
+    entrypoint: [""]
+  before_script:
+    - apk add --no-cache python3
+  script:
+    - |
+      echo "=== Test 1: Detection rules must fire on synthetic fixtures ==="
+      python3 -c "import re; src=open('gitleaks.toml').read(); src=re.sub(r'paths = \\[.*?\\n\\]','paths = []',src,flags=re.DOTALL); open('/tmp/gitleaks-rules-only.toml','w').write(src)"
+      FIXTURE_EXIT=0
+      gitleaks detect --source tests/fixtures/gitleaks/ --config /tmp/gitleaks-rules-only.toml \
+        --no-git --verbose --redact 2>&1 || FIXTURE_EXIT=$?
+      if [ "$FIXTURE_EXIT" -eq 0 ]; then
+        echo "FAIL: Rules did not fire on fixture file"
+        exit 1
+      fi
+      echo "PASS: Rules fired on fixtures (exit=$FIXTURE_EXIT)"
+      echo ""
+      echo "=== Test 2: Allowlist must suppress fixtures in full-repo scan ==="
+      gitleaks detect --source . --config gitleaks.toml --no-git --redact
+      echo "PASS: Full repo scan clean (allowlist working)"
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+    - if: '$CI_PIPELINE_SOURCE == "push"'
+  allow_failure: false
+# ───────────────────────────────────────────────────────────────────────────────
+
 build:test:images:
   stage: build
   image: docker:27.3

gitleaks.toml

@@ -0,0 +1,95 @@
+title = "postgres-ai gitleaks config"
+
+[extend]
+# extend the default ruleset
+useDefault = true
+
+# GitLab token types — https://docs.gitlab.com/security/tokens/
+[[rules]]
+id = "gitlab-pat"
+description = "GitLab Personal Access Token"
+regex = '''\bglpat-[A-Za-z0-9_-]{20,}\b'''
+tags = ["gitlab", "token"]
+
+[[rules]]
+id = "gitlab-runner-token"
+description = "GitLab Runner Registration Token"
+regex = '''\bglrt-[A-Za-z0-9_-]{20,}\b'''
+tags = ["gitlab", "token"]
+
+[[rules]]
+id = "gitlab-deploy-token"
+description = "GitLab Deploy Token"
+regex = '''\bgldt-[A-Za-z0-9_-]{20,}\b'''
+tags = ["gitlab", "token"]
+
+[[rules]]
+id = "gitlab-trigger-token"
+description = "GitLab Pipeline Trigger Token"
+regex = '''\bglptt-[A-Za-z0-9_-]{20,}\b'''
+tags = ["gitlab", "token"]
+
+[[rules]]
+id = "gitlab-oauth-app-secret"
+description = "GitLab OAuth Application Secret"
+regex = '''\bgloas-[A-Za-z0-9_-]{20,}\b'''
+tags = ["gitlab", "token"]
+
+[[rules]]
+id = "gitlab-scim-token"
+description = "GitLab SCIM Token"
+regex = '''\bglsoat-[A-Za-z0-9_-]{20,}\b'''
+tags = ["gitlab", "token"]
+
+[[rules]]
+id = "anthropic-api-key"
+description = "Anthropic API Key"
+regex = '''\bsk-ant-api03-[A-Za-z0-9_-]{20,}\b'''
+tags = ["anthropic", "ai"]
+
+[[rules]]
+id = "anthropic-oauth-token"
+description = "Anthropic OAuth Token"
+regex = '''\bsk-ant-oat[0-9]{2}-[A-Za-z0-9_-]{20,}\b'''
+tags = ["anthropic", "ai"]
+
+[[rules]]
+id = "hetzner-api-token"
+description = "Hetzner Cloud API Token (variable assignment)"
+regex = '''(?i)\b(hetzner_token|hetzner_api_token|hetzner_api_key|hcloud_token|hcloud_api_key|hz_token)\b\s*[:=]\s*["']?[A-Za-z0-9_-]{60,}["']?'''
+tags = ["hetzner", "cloud"]
+
+# Global allowlist — gitleaks uses [[allowlists]] (array of tables)
+[[allowlists]]
+description = "False positives: test fixtures, example data, CI collections, rotated secrets"
+
+regexes = [
+  '''example\.com''',
+  '''dummy[-_]?token''',
+  '''fake[-_]?key''',
+  '''test[-_]?secret''',
+]
+
+paths = [
+  # Unit test fixtures with dummy credentials
+  '''cli/test/''',
+  '''^spec/''',
+  '''__tests__/''',
+  # Postman collections (Stripe pk_test_ keys, recorded calls)
+  '''\.ci/.*\.postman_collection\.json''',
+  # Sqitch DB migration verification scripts (test JWTs, example secrets)
+  '''db/verify/''',
+  # Terraform test files (test passwords/credentials in .tftest.hcl)
+  '''terraform/.*tests/''',
+  '''terraform/.*\.tftest\.hcl$''',
+  # GCP/AWS user_data scripts (cloud-init bootstrap, example credentials)
+  '''terraform/.*/user_data\.sh$''',
+  # Gitleaks test suites (intentionally contain synthetic secrets for rule testing)
+  '''tests/gitleaks/fixtures/''',
+  # Our own fixture directory
+  '''tests/fixtures/gitleaks/''',
+]
+
+# Commit SHA allowlist: known rotated/revoked secrets pending history cleanup
+# glpat-tars3 token committed by bench-bot on 2026-02-25 — token already revoked (infra#20)
+commits = ["5fbe547dd4b4efb052d8642d0613ac3e32f1fb52"]

tests/fixtures/gitleaks/README.md

@@ -0,0 +1,16 @@
+# Gitleaks Test Fixtures
+
+Synthetic secrets used to verify that gitleaks rules fire correctly.
+These are intentionally fake — not real credentials.
+
+This directory is allowlisted in `gitleaks.toml` so the CI scan ignores it.
+
+## Verify the rules work
+
+```bash
+# Should exit 1 (secrets detected)
+gitleaks detect --no-git --source tests/fixtures/gitleaks/ --config gitleaks.toml --verbose
+
+# Should exit 0 (allowlisted path)
+gitleaks detect --source . --config gitleaks.toml --verbose
+```

tests/fixtures/gitleaks/synthetic-secrets.env

@@ -0,0 +1,17 @@
+# SYNTHETIC TEST FIXTURES — NOT REAL SECRETS
+# Used to verify gitleaks detection rules.
+# This directory is allowlisted in gitleaks.toml for normal scans.
+
+GITLAB_PAT=glpat-xxxxxxxxxxxxxxxxxxxxxxxxxxxx
+GITLAB_RUNNER=glrt-xxxxxxxxxxxxxxxxxxxxxxxxxxxx
+GITLAB_DEPLOY=gldt-xxxxxxxxxxxxxxxxxxxxxxxxxxxx
+GITLAB_TRIGGER=glptt-xxxxxxxxxxxxxxxxxxxxxxxxxxxx
+GITLAB_OAUTH=gloas-xxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ANTHROPIC_API_KEY=sk-ant-api03-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ANTHROPIC_OAUTH=sk-ant-oat01-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+
+# GitLab SCIM token (synthetic — for rule testing only)
+GITLAB_SCIM=glsoat-xxxxxxxxxxxxxxxxxxxxxxxx
+
+# Hetzner API token (synthetic — for rule testing only)
+hetzner_token=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaaa