From 011a00b8791954dcc40eac2554055ea54c9dd649 Mon Sep 17 00:00:00 2001
From: Anthony Brown <anthony.brown8@nhs.net>
Date: Fri, 17 Apr 2026 10:21:52 +0000
Subject: [PATCH] add gitleaks

---
 .gitallowed             | 17 -----------------
 .pre-commit-config.yaml | 31 +++++++++++++++----------------
 2 files changed, 15 insertions(+), 33 deletions(-)
 delete mode 100644 .gitallowed

diff --git a/.gitallowed b/.gitallowed
deleted file mode 100644
index b3858512..00000000
--- a/.gitallowed
+++ /dev/null
@@ -1,17 +0,0 @@
-token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"?
-github-token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"?
-token: ?"?\$\{\{\s*secrets\.DEPENDABOT_TOKEN\s*\}\}"?
-id-token: write
-self.token = token
---token=\$\{\{\s*steps\.generate-token\.outputs\.token\s*\}\}
---token=\$GITHUB-TOKEN
---token="\$GITHUB-TOKEN"
-"accountId": "123456789012"
-accountId: "123456789012"
-console\.log\(`access token : \${access_token}`\)
-.*CidrBlock.*
-.*Gemfile\.lock.*
-.*\.gitallowed.*
-.*nhsd-rules-deny.txt.*
-.*\.venv.*
-.*node_modules.*
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index b52cd9f6..724548d5 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -26,7 +26,7 @@ repos:
       - id: grype-scan-local
         name: Grype scan local changes
         entry: make
-        args: ["grype-scan-local"]
+        args: [ "grype-scan-local" ]
         language: system
         pass_filenames: false
         always_run: true
@@ -54,49 +54,48 @@ repos:
       - id: lint-githubactions
         name: Lint github actions
         entry: make
-        args: ["actionlint"]
+        args: [ "actionlint" ]
         language: system
         files: ^.github
-        types_or: [yaml]
+        types_or: [ yaml ]
         pass_filenames: false
 
       - id: lint-githubaction-scripts
         name: Lint github action scripts
         entry: make
-        args: ["shellcheck"]
+        args: [ "shellcheck" ]
         language: system
         files: ^.github/scripts
-        types_or: [sh, shell]
+        types_or: [ sh, shell ]
         pass_filenames: false
 
       - id: lint-cdkConstructs
         name: Lint cdkConstructs
         entry: npm
-        args: ["run", "--prefix=packages/cdkConstructs", "lint"]
+        args: [ "run", "--prefix=packages/cdkConstructs", "lint" ]
         language: system
         files: ^packages\/cdkConstructs
-        types_or: [ts, tsx, javascript, jsx, json]
+        types_or: [ ts, tsx, javascript, jsx, json ]
         pass_filenames: false
 
       - id: lint-deploymentUtils
         name: Lint deploymentUtils
         entry: npm
-        args: ["run", "--prefix=packages/deploymentUtils", "lint"]
+        args: [ "run", "--prefix=packages/deploymentUtils", "lint" ]
         language: system
         files: ^packages\/deploymentUtils
-        types_or: [ts, tsx, javascript, jsx, json]
+        types_or: [ ts, tsx, javascript, jsx, json ]
         pass_filenames: false
 
-  - repo: local
-    hooks:
-      - id: git-secrets
-        name: Git Secrets
-        description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories.
+      - id: gitleaks
+        name: Git Leaks
+        description: gitleaks scans commits, commit messages, and --no-ff merges to
+          prevent adding secrets into your git repositories.
         entry: bash
         args:
           - -c
-          - "git-secrets --pre_commit_hook"
+          - "gitleaks git --pre-commit --redact --staged --verbose"
         language: system
 
 fail_fast: true
-default_stages: [pre-commit]
+default_stages: [ pre-commit ]