feat: use gitleaks in pre-commit hook (hyperlane-xyz#5419)

### Description Add [gitleaks](https://github.com/gitleaks/gitleaks) to pre-commit hook with custom patterns for known RPC providers. Note, this will require every contributor to have `gitleaks` installed on their machine akin to `yq` or `jq`. ### Drive-by changes  ### Related issues  ### Backward compatibility  ### Testing example of success: ``` git commit -m "feat: use gitleaks in pre-commit" 🔍 Checking for potential secrets in staged files... ○ │╲ │ ○ ○ ░ ░ gitleaks 2:47PM INF 1 commits scanned. 2:47PM INF scanned ~2224 bytes (2.22 KB) in 9.89ms 2:47PM INF no leaks found ✅ No secrets detected gs→ No staged files match any configured task. 📝 If you haven't yet, please add a changeset for your changes via 'yarn changeset' [pb/gitleaks 1b06f73] feat: use gitleaks in pre-commit 2 files changed, 98 insertions(+) create mode 100644 .gitleaks.toml ``` example of failure if we're leaking secrets: ``` git commit -m "x" 🔍 Checking for potential secrets in staged files... ○ │╲ │ ○ ○ ░ ░ gitleaks Finding: REDACTED Secret: REDACTED RuleID: alchemy-api-key Entropy: 5.141622 Tags: [key Alchemy] File: README.md Line: 13 Fingerprint: README.md:alchemy-api-key:13 Finding: REDACTED Secret: REDACTED RuleID: alchemy-api-key Entropy: 4.987016 Tags: [key Alchemy] File: README.md Line: 28 Fingerprint: README.md:alchemy-api-key:28 Finding: REDACTED Secret: REDACTED RuleID: ankr-api-key Entropy: 4.620332 Tags: [key Ankr] File: README.md Line: 14 Fingerprint: README.md:ankr-api-key:14 Finding: REDACTED Secret: REDACTED RuleID: ankr-api-key Entropy: 4.660415 Tags: [key Ankr] File: README.md Line: 24 Fingerprint: README.md:ankr-api-key:24 Finding: REDACTED Secret: REDACTED RuleID: tenderly-api-key Entropy: 4.877531 Tags: [key Tenderly] File: README.md Line: 15 Fingerprint: README.md:tenderly-api-key:15 Finding: REDACTED Secret: REDACTED RuleID: tenderly-api-key Entropy: 4.848919 Tags: [key Tenderly] File: README.md Line: 29 Fingerprint: README.md:tenderly-api-key:29 Finding: REDACTED Secret: REDACTED RuleID: quicknode-api-key Entropy: 4.936234 Tags: [key QuickNode] File: README.md Line: 16 Fingerprint: README.md:quicknode-api-key:16 Finding: REDACTED Secret: REDACTED RuleID: quicknode-api-key Entropy: 4.914179 Tags: [key QuickNode] File: README.md Line: 27 Fingerprint: README.md:quicknode-api-key:27 Finding: REDACTED Secret: REDACTED RuleID: drpc-api-key Entropy: 5.226190 Tags: [key DRPC] File: README.md Line: 17 Fingerprint: README.md:drpc-api-key:17 Finding: REDACTED Secret: REDACTED RuleID: drpc-api-key Entropy: 5.264358 Tags: [key DRPC] File: README.md Line: 26 Fingerprint: README.md:drpc-api-key:26 Finding: REDACTED Secret: REDACTED RuleID: dwellir-api-key Entropy: 4.688474 Tags: [key Dwellir] File: README.md Line: 18 Fingerprint: README.md:dwellir-api-key:18 Finding: REDACTED Secret: REDACTED RuleID: dwellir-api-key Entropy: 4.682899 Tags: [key Dwellir] File: README.md Line: 22 Fingerprint: README.md:dwellir-api-key:22 Finding: REDACTED Secret: REDACTED RuleID: startale-api-key Entropy: 4.937024 Tags: [key Startale] File: README.md Line: 19 Fingerprint: README.md:startale-api-key:19 Finding: REDACTED Secret: REDACTED RuleID: startale-api-key Entropy: 5.050642 Tags: [key Startale] File: README.md Line: 23 Fingerprint: README.md:startale-api-key:23 Finding: REDACTED Secret: REDACTED RuleID: grove-city-api-key Entropy: 4.653059 Tags: [key Grove City] File: README.md Line: 20 Fingerprint: README.md:grove-city-api-key:20 Finding: REDACTED Secret: REDACTED RuleID: grove-city-api-key Entropy: 4.612185 Tags: [key Grove City] File: README.md Line: 25 Fingerprint: README.md:grove-city-api-key:25 2:46PM INF 1 commits scanned. 2:46PM INF scanned ~1322 bytes (1.32 KB) in 11ms 2:46PM WRN leaks found: 16 ❌ Potential secrets detected in your changes! Please remove any secrets, credentials, or sensitive information before committing. husky - pre-commit hook exited with code 1 (error) ```
Tessellated-io · Feb 10, 2025 · f32da00 · f32da00
1 parent 4adeb2a
commit f32da00
Show file tree

Hide file tree

Showing 3 changed files with 102 additions and 0 deletions.
diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -0,0 +1,88 @@
+# Global allowlist
+[allowlist]
+paths = [
+    '''node_modules''',
+    '''.git'''
+]
+
+# Custom rules
+[[rules]]
+id = "alchemy-api-key"
+description = "Alchemy API Key"
+regex = '''https://[a-zA-Z0-9-]+\.g\.alchemy\.com/v2/[a-zA-Z0-9_-]+'''
+keywords = [
+    "alchemy",
+    "alchemy.com"
+]
+tags = ["key", "Alchemy"]
+
+[[rules]]
+id = "ankr-api-key"
+description = "Ankr API Key"
+regex = '''https://rpc\.ankr\.com/[a-zA-Z0-9_-]+/[a-zA-Z0-9_-]+'''
+keywords = [
+    "ankr",
+    "rpc.ankr.com"
+]
+tags = ["key", "Ankr"]
+
+
+[[rules]]
+id = "tenderly-api-key"
+description = "Tenderly API Key"
+regex = '''https://[a-zA-Z0-9-]+\.gateway\.tenderly\.co/[a-zA-Z0-9_-]+'''
+keywords = [
+    "tenderly",
+    "gateway.tenderly.co"
+]
+tags = ["key", "Tenderly"]
+
+[[rules]]
+id = "quicknode-api-key"
+description = "QuickNode API Key"
+regex = '''https://[a-zA-Z0-9-]+\.[a-zA-Z0-9-]+\.quiknode\.pro/[a-zA-Z0-9]+'''
+keywords = [
+    "quiknode",
+    "quiknode.pro"
+]
+tags = ["key", "QuickNode"]
+
+[[rules]]
+id = "drpc-api-key"
+description = "DRPC API Key"
+regex = '''https://lb\.drpc\.org/[a-zA-Z0-9]+\?.*dkey=[a-zA-Z0-9]+'''
+keywords = [
+    "drpc",
+    "drpc.org"
+]
+tags = ["key", "DRPC"]
+
+[[rules]]
+id = "dwellir-api-key"
+description = "Dwellir API Key"
+regex = '''https://api-.*\.dwellir\.com/[a-zA-Z0-9-]+'''
+keywords = [
+    "dwellir",
+    "dwellir.com"
+]
+tags = ["key", "Dwellir"]
+
+[[rules]]
+id = "startale-api-key"
+description = "Startale API Key"
+regex = '''https://[a-zA-Z0-9.-]+\.startale\.com.*\?apikey=[a-zA-Z0-9]+'''
+keywords = [
+    "startale",
+    "startale.com"
+]
+tags = ["key", "Startale"]
+
+[[rules]]
+id = "grove-city-api-key"
+description = "Grove City API Key"
+regex = '''https://[a-zA-Z0-9-]+\.rpc\.grove\.city/v1/[a-zA-Z0-9]+'''
+keywords = [
+    "grove",
+    "grove.city"
+]
+tags = ["key", "Grove City"]
diff --git a/.husky/pre-commit b/.husky/pre-commit
@@ -1,6 +1,16 @@
 #!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"
 
+# Check for potential secrets in staged files
+echo "🔍 Checking for potential secrets in staged files..."
+if git diff --cached --name-only | xargs gitleaks protect --staged --verbose --redact --config .gitleaks.toml; then
+    echo "✅ No secrets detected"
+else
+    echo "❌ Potential secrets detected in your changes!"
+    echo "Please remove any secrets, credentials, or sensitive information before committing."
+    exit 1
+fi
+
 yarn lint-staged
 
 echo "📝 If you haven't yet, please add a changeset for your changes via 'yarn changeset'"

diff --git a/README.md b/README.md
@@ -32,6 +32,10 @@ To read more about interchain applications, how the protocol works, and how to i
 
 You need `jq` installed on your machine. You can download it from [official page](https://jqlang.github.io/jq/download/) or use a package manager of your choice.
 
+#### Install `gitleaks`
+
+You need `gitleaks` installed on your machine. You can download it from [official page](https://github.com/gitleaks/gitleaks) or use a package manager of your choice.
+
 #### Foundry
 
 First ensure you have Foundry installed on your machine.