feat(betterleaks): add betterleaks config to hk builtin config

[hituzi-no-sippo]

Add betterleaks as a new builtin secret scanner.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces the 'betterleaks' secret scanner into the system's built-in configurations. The change provides a new, configurable, and fast option for identifying secrets within projects, thereby strengthening security posture by expanding the range of available scanning tools.

Highlights

• New Secret Scanner Integration: Integrated 'betterleaks' as a new builtin secret scanner, enhancing the system's capability to detect sensitive information.
• Pkl Configuration Added: A new Pkl configuration file (pkl/builtins/betterleaks.pkl) was added, defining the metadata, check command, and tests for the betterleaks scanner.
• Tool Stub Created: A tool stub (test/builtin_tool_stubs/betterleaks) was added to define the version and tool source for betterleaks, facilitating its execution.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces betterleaks as a new built-in secret scanner. The configuration is well-structured, including appropriate project indicators and tests. However, I've identified a potential issue in the check command which uses a flag specific to the pre-commit framework. This could lead to incorrect behavior when run via hk. My review includes a suggestion to rectify this for robust integration.

[gemini-code-assist]

The --pre-commit flag is designed for use with the pre-commit framework, as it relies on environment variables (e.g., PRE_COMMIT_FROM_REF, PRE_COMMIT_TO_REF) that the framework sets to determine the range of commits to scan.

Since hk is a separate tool and does not set these variables, using this flag can cause betterleaks to default to a different scanning behavior (like scanning all of HEAD), which is not the intention. The --staged flag is sufficient to correctly scan only the staged files, which is the desired behavior in a pre-commit context with hk.

  check = "betterleaks git --redact --staged --verbose --no-banner"

[greptile-apps]

Greptile Summary

This PR adds betterleaks as a new builtin secrets scanner configuration for hk, following the same conventions as other builtins (PKL config + tool stub). The implementation is clean and well-structured — it includes a proper Secrets category, two tests derived from betterleaks' own testdata, and a pinned tool stub at v1.1.1.

Key changes:

• pkl/builtins/betterleaks.pkl — new builtin using betterleaks dir --redact --verbose --no-banner {{ files }} as the check command, scoped to types = List(\"text\") files
• test/builtin_tool_stubs/betterleaks — test stub pinning betterleaks v1.1.1 via aqua:betterleaks/betterleaks

Issue found:

• The project_indicators list includes .gitleaks.toml alongside .betterleaks.toml. Since .gitleaks.toml is the native config file for gitleaks (a distinct, widely-used secrets scanner), this will cause hk to suggest/activate betterleaks in any project that is already using gitleaks — likely the opposite of what users expect. Only .betterleaks.toml should be used as the project indicator.

Confidence Score: 4/5

Safe to merge after resolving the .gitleaks.toml project indicator issue, which would cause betterleaks to be incorrectly activated in gitleaks-based projects.

The PR is well-structured and follows all established patterns. The single P1 finding — including .gitleaks.toml as a project indicator — would lead to a confusing user experience by activating betterleaks in projects that use gitleaks but not betterleaks. All other aspects (command, tests, stub, category) are correct and consistent with existing builtins.

pkl/builtins/betterleaks.pkl — specifically the project_indicators block at line 9.

Important Files Changed

Filename	Overview
pkl/builtins/betterleaks.pkl	Adds betterleaks builtin config with Secrets category, text-file scoping, and two tests; includes .gitleaks.toml as a project indicator alongside .betterleaks.toml, which may inadvertently activate betterleaks in gitleaks-based projects.
test/builtin_tool_stubs/betterleaks	Adds a test stub pinning betterleaks to v1.1.1 via aqua; follows the same format as all other stubs in the directory.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[hk pre-commit hook triggered] --> B{betterleaks step\nproject_indicators match?}
    B -- ".gitleaks.toml present\nOR .betterleaks.toml present" --> C[Step activated]
    B -- Neither file found --> D[Step skipped]
    C --> E{Staged files\nmatching types=text?}
    E -- None --> F[Step skipped: no files to process]
    E -- Files found --> G["betterleaks dir --redact --verbose --no-banner {{ files }}"]
    G --> H{Exit code}
    H -- 0 --> I[✅ Check passed — no secrets found]
    H -- non-zero --> J[❌ Check failed — secrets detected]

Loading

_{Reviews (1): Last reviewed commit: "feat(betterleaks): add betterleaks confi..." | Re-trigger Greptile}

[greptile-apps]

.gitleaks.toml as a project indicator for betterleaks is misleading

.gitleaks.toml is the native configuration file for gitleaks, a separate (and more widely deployed) secrets scanner. Listing it as a project_indicator for betterleaks means hk will suggest/activate betterleaks in any repo that is already using gitleaks, which is likely the opposite of the intended behavior. Users who have .gitleaks.toml are typically running gitleaks, not betterleaks, and would be surprised to see betterleaks activated.

Even though betterleaks is advertised as compatible with the gitleaks config format, the mere presence of .gitleaks.toml is a stronger signal that gitleaks is in use rather than betterleaks.

Consider removing .gitleaks.toml from project_indicators and keeping only .betterleaks.toml:

Suggested change

	new { file = ".gitleaks.toml" }
	new { file = ".betterleaks.toml" }