feat(gitleaks): add gitleaks config to hk builtin config

[hituzi-no-sippo]

Add gitleaks as a new builtin secret scanner.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces Gitleaks as a new built-in secret scanner, enhancing the system's capability to automatically detect and prevent the accidental exposure of sensitive information within Git repositories. This integration provides a standardized and automated way to perform security checks for secrets.

Highlights

• Gitleaks Integration: Integrated Gitleaks as a new built-in secret scanner, enabling automated detection of sensitive information in Git repositories.
• Configuration Definition: Defined the Gitleaks scanning step in pkl/builtins/gitleaks.pkl, including its metadata, check command, and example tests for AWS keys and clean files.
• Tool Stub Creation: Created a tool stub for Gitleaks in test/builtin_tool_stubs/gitleaks to specify its version and source for the mise tool.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds gitleaks as a new builtin secret scanner. The implementation has a significant issue where it only scans staged files, which makes it unreliable in many contexts. I've suggested changing the command to scan the entire directory for a more robust implementation. I also noted a minor version inconsistency in source code comments.

[gemini-code-assist]

There are a couple of issues with the current check command implementation:

1. Limited Scope: The use of gitleaks git --pre-commit ... --staged restricts scanning to staged files only. This will cause gitleaks to miss secrets in unstaged files or when hk is run in contexts other than a pre-commit hook (e.g., pre-push or hk run).
2. Deprecated Command: The gitleaks git command is deprecated in favor of gitleaks detect and gitleaks protect.

To make this builtin robust and reliable across all hk use cases, I recommend using gitleaks detect to scan the current directory. While gitleaks doesn't support scanning a specific list of files, scanning the whole directory is a more correct and safer default.

With this change, the source comment on line 14 will no longer be relevant and can be removed.

  check = "gitleaks detect --source . --redact --verbose --no-banner"

[gemini-code-assist]

The version v8.30.0 is referenced in this source URL, but the tool version specified in the test stub (test/builtin_tool_stubs/gitleaks) is 8.30.1. For consistency and easier maintenance, please update the version in the URL to match the tool version.

    // Source: https://github.com/gitleaks/gitleaks/blob/v8.30.1/testdata/repos/nogit/api.go#L20

[greptile-apps]

Greptile Summary

This PR adds gitleaks as a new built-in secret scanner to hk, following the established pattern for other builtins (PKL config + test helper + tool stub). The implementation is clean and consistent with the rest of the codebase.

Changes:

• pkl/builtins/gitleaks.pkl — new builtin step that runs gitleaks dir --redact --verbose --no-banner {{ files }} on text files, auto-detected when .gitleaks.toml is present, with tests using a known AWS-key pattern from gitleaks' own test data.
• test/builtin_tool_stubs/gitleaks — standard mise tool-stub stub pinning to gitleaks v8.30.1 via aqua.

Observations:

• project_indicators only covers .gitleaks.toml; gitleaks also supports .gitleaks.yaml, .gitleaks.yml, and un-dotted variants, so auto-detection will miss projects using those config names.
• The check command uses gitleaks dir, which scans working-tree file content. The current official gitleaks pre-commit hook has migrated to gitleaks git --pre-commit --staged (reading directly from the git index). Using dir in a partial-staging scenario can produce false positives or negatives, though this is consistent with how most other hk builtins work.

Confidence Score: 5/5

Safe to merge; both open issues are P2 style/design concerns that do not block correct basic operation.

The implementation correctly follows hk's builtin pattern, has a working test (using gitleaks' own reference test data), and pins to a specific version. All remaining findings are P2: the partial-staging caveat with gitleaks dir is a design trade-off shared by most hk builtins, and the missing config-file variants in project_indicators are a convenience improvement, not a correctness issue.

pkl/builtins/gitleaks.pkl — minor project_indicators completeness and command-choice notes.

Important Files Changed

Filename	Overview
pkl/builtins/gitleaks.pkl	New gitleaks builtin config using gitleaks dir to scan staged text files for secrets; project indicator limited to .gitleaks.toml only
test/builtin_tool_stubs/gitleaks	Standard tool stub pinning gitleaks to v8.30.1 via aqua, consistent with other stub files

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant hk as hk (pre-commit)
    participant GL as gitleaks (v8.30.1)

    Dev->>hk: git commit
    hk->>hk: collect staged text files (types=text)
    hk->>GL: gitleaks dir --redact --verbose --no-banner [files]
    alt secret found
        GL-->>hk: exit code 1 + finding details
        hk-->>Dev: commit blocked, secrets reported
    else no secrets
        GL-->>hk: exit code 0
        hk-->>Dev: commit proceeds
    end

Loading

_{Reviews (1): Last reviewed commit: "feat(gitleaks): add gitleaks config to h..." | Re-trigger Greptile}

[greptile-apps]

Missing gitleaks config file variants in project_indicators

Gitleaks v8 supports multiple configuration file formats: .gitleaks.toml, .gitleaks.yaml, .gitleaks.yml, gitleaks.toml, gitleaks.yaml, and gitleaks.yml. Currently only .gitleaks.toml is listed as a project_indicators entry, so the builtin won't be auto-detected for users who configure gitleaks with any of the other supported formats.

Consider adding the other variants:

project_indicators {
  new { file = ".gitleaks.toml" }
  new { file = ".gitleaks.yaml" }
  new { file = ".gitleaks.yml" }
  new { file = "gitleaks.toml" }
}

[greptile-apps]

gitleaks dir vs gitleaks git --pre-commit --staged

The referenced URL points to gitleaks' .pre-commit-hooks.yaml at v8.30.1 (line 4). However, gitleaks' current official pre-commit hook (on master) uses gitleaks git --pre-commit --redact --staged --verbose with pass_filenames: false — not gitleaks dir. The key semantic difference is:

• gitleaks dir {{ files }} scans the working-tree content of the staged file paths.
• gitleaks git --pre-commit --staged reads directly from the git index, so it catches exactly what is being committed.

In a partial-staging scenario (e.g., git add -p), gitleaks dir will scan the working-tree version of the file, which may contain additional unstaged changes. This can produce false positives (blocking a commit because of a secret that isn't actually staged) or false negatives (if the secret is only in the staged diff but the working-tree copy differs).

It's worth confirming whether the v8.30.1 tag still recommended gitleaks dir for this use case, or whether gitleaks git --pre-commit --staged would be more appropriate here.