Config for precommit and gitleaks

Valswyn-NHS · Valswyn-NHS · commit dc1f79e04591 · 2026-04-22T16:32:44.000+01:00
diff --git a/scripts/config/gitleaks.toml b/scripts/config/gitleaks.toml
@@ -0,0 +1,19 @@
+# SEE: https://github.com/gitleaks/gitleaks/#configuration
+
+[extend]
+useDefault = true # SEE: https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml
+
+[[rules]]
+description = "IPv4"
+id = "ipv4"
+regex = '''[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'''
+
+[rules.allowlist]
+regexTarget = "match"
+regexes = [
+  # Exclude the private network IPv4 addresses as well as the DNS servers for Google and OpenDNS
+  '''(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.[0-9]{1,3}|192\.168\.[0-9]{1,3}\.[0-9]{1,3}|0\.0\.0\.0|255\.255\.255\.255|8\.8\.8\.8|8\.8\.4\.4|208\.67\.222\.222|208\.67\.220\.220)''',
+]
+
+[allowlist]
+paths = ['''.terraform.lock.hcl''', '''poetry.lock''', '''yarn.lock''']
diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml
@@ -0,0 +1,9 @@
+repos:
+  - repo: local
+    hooks:
+      - id: scan-secrets
+        name: Scan secrets
+        entry: ./scripts/githooks/scan-secrets.sh
+        args: [ "check=staged-changes" ]
+        language: script
+        pass_filenames: false
