Wisdom/fix/gitleaks

.githooks/pre-commit

@@ -0,0 +1,48 @@
+#!/bin/sh
+echo "Running Gitleaks pre-commit scan on staged changes (Server Settings)..."
+
+mkdir -p .gitleaks_out
+touch .gitleaks_out/gitleaks-precommit.json
+
+# Prefer local gitleaks if available, fallback to Docker
+if command -v gitleaks >/dev/null 2>&1; then
+  echo "⚡ Using local gitleaks binary"
+  SCAN_CMD="gitleaks detect \
+    --pipe \
+    --config=gitleaks.toml \
+    --report-format=json \
+    --report-path=.gitleaks_out/gitleaks-precommit.json \
+    --no-banner"
+else
+  echo "Local gitleaks not found, using Docker fallback"
+  SCAN_CMD="docker run --rm -i -v \"$(pwd)\":/repo ghcr.io/gitleaks/gitleaks:v8.28.0 detect \
+    --pipe \
+    --config=/repo/gitleaks.toml \
+    --report-format=json \
+    --report-path=/repo/.gitleaks_out/gitleaks-precommit.json \
+    --no-banner"
+fi
+
+# Run scan on staged diff only
+git diff --cached --unified=0 --no-color \
+  | grep '^+' \
+  | grep -v '^+++' \
+  | sh -c "$SCAN_CMD"
+status=$?
+if [ $status -ne 0 ]; then
+  echo "Possible secrets detected in staged changes!"
+  echo "   See .gitleaks_out/gitleaks-precommit.json for details."
+  echo ""
+  echo "Commit aborted."
+  echo ""
+  echo "Reminder: Do NOT bypass with 'git commit --no-verify'."
+  echo "CI will still block your PR even if you bypass locally."
+  echo ""
+  echo "If this secret is actually required in the repo (false positive or approved usage),"
+  echo "you MUST meet with the CTO / Team Lead / DevOps to approve"
+  echo "and add it to the gitleaks ignore list."
+  exit 1
+fi
+
+echo "No secrets found. Commit allowed."
+exit 0

.github/workflows/security.yml

@@ -0,0 +1,18 @@
+name: Security Scan
+
+on:
+  pull_request:
+    branches:
+      - Dev
+      - dev-1
+  push:
+    branches:
+      - Dev
+      - dev-1
+
+jobs:
+  gitleaks:
+    name: Run Gitleaks Scan
+    uses: peer-network/peer_global_security/.github/workflows/gitleaks.yml@main
+    with:
+      config: gitleaks.toml

.gitignore

@@ -3,4 +3,5 @@ secrets.auto.tfvars
 clouds.yaml
 *.tfstate
 peer_network.yaml
-terraform.tfstate*
+terraform.tfstate*
+.gitleaks_out/

README_gitleaks.md

@@ -0,0 +1,73 @@
+# 🔒 Gitleaks Pre-Commit Hook (Sever Settings)
+
+This repository uses **[Gitleaks](https://github.com/gitleaks/gitleaks)** to prevent secrets (API keys, passwords, tokens, etc.) from being committed.
+
+---
+
+## 🚀 Setup
+
+Run the setup script once:
+
+```bash
+chmod +x setup-hooks.sh
+./setup-hooks.sh
+```
+
+This will:
+
+- Configure Git to use .githooks/ as the hooks directory.
+- Make .githooks/pre-commit executable.
+- Ensure gitleaks is installed (v8.28.0).
+
+If missing, the script will download the correct binary for your OS/architecture.
+
+Confirm the hook is ready.
+
+🛡️ Pre-Commit Scan
+On every git commit, the hook will:
+
+- Run a Gitleaks scan on staged changes only.
+- Block the commit if potential secrets are detected.
+- Write results to .gitleaks_out/gitleaks-precommit.json.
+
+If a commit is blocked:
+
+- Check .gitleaks_out/gitleaks-precommit.json for details.
+- Remove or mask the secret before retrying.
+
+Do not bypass with git commit --no-verify — CI will still block your PR.
+
+---
+
+###
+
+Docker Fallback
+
+If a local Gitleaks binary is missing, the pre-commit hook will fall back to Docker:
+
+docker run --rm -i -v "$(pwd)":/repo ghcr.io/gitleaks/gitleaks:v8.28.0 detect ...
+
+---
+
+###
+✅ Verifying Installation
+To check that everything is set up correctly:
+
+```
+gitleaks version
+```
+# should print: 8.28.0
+
+---
+
+###
+🧹 Ignore False Positives
+If Gitleaks flags something that is not a real secret:
+
+Talk to your Team Lead / DevOps.
+
+They can add an exception to gitleaks.toml.
+
+With this setup, secrets are scanned locally before every commit and again in CI, ensuring strong security across the repo. 🔐
+
+Gitleaks is set 🚀 

gitleaks.toml

@@ -0,0 +1,44 @@
+title = "Peer Server Settings Gitleaks Config"
+
+[[rules]]
+id = "infra-catch-common-secrets"
+description = "Catch common infrastructure secrets (Terraform, Grafana, Loki, Prometheus, SSH, API keys)"
+regex = '''(?i)(ghp_[0-9A-Za-z]{36}|github_pat_[0-9A-Za-z_]{20,}|glpat-[0-9A-Za-z\-_]{20}|AKIA[0-9A-Z]{16}|ASIA[0-9A-Z]{16}|[A-Za-z0-9]{20,}:[A-Za-z0-9+/]{40,}|eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9._-]+\.[A-Za-z0-9._-]+|-----BEGIN( RSA| DSA| EC| OPENSSH)? PRIVATE KEY-----|token\s*=\s*["'][A-Za-z0-9_\-]{10,}["']|password\s*=\s*["'][^"']{6,}["'])'''
+tags = ["key", "secret", "terraform", "infrastructure"]
+
+[[rules]]
+id = "infra-entropy-catch-all"
+description = "Catch high-entropy strings for unknown secrets (Terraform, YAML, JSON, env)"
+regex = '''[A-Za-z0-9\+=!@#$%^&*._-]{30,}'''
+entropy = 4.0
+tags = ["key", "secret", "terraform", "infrastructure"]
+
+[[rules]]
+id = "grafana-api-tokens"
+description = "Detect Grafana, Loki, or Prometheus API tokens"
+regex = '''(?i)(grafana[_-]api[_-]?key\s*[:=]\s*["']?[A-Za-z0-9_-]{20,}|bearer\s+[A-Za-z0-9\-_]{20,})'''
+tags = ["grafana", "api", "key"]
+
+[[rules]]
+id = "terraform-provider-secrets"
+description = "Catch potential provider secrets in Terraform (.tf) files"
+regex = '''(?i)(access[_-]?key\s*=\s*["'][A-Za-z0-9/+=]{16,}["']|secret[_-]?key\s*=\s*["'][A-Za-z0-9/+=]{32,}["']|client[_-]?secret\s*=\s*["'][A-Za-z0-9/+=]{20,}["'])'''
+tags = ["terraform", "provider", "key"]
+
+[pathDenylist]
+description = "Exclude irrelevant or generated files"
+regexes = [
+  '''^\.terraform/.*''',
+  '''^\.terraform\.lock\.hcl$''',
+  '''^terraform\.tfstate.*$''',
+  '''^node_modules/.*''',
+  '''^__pycache__/.*''',
+  '''^\.venv/.*''',
+  '''^dist/.*''',
+  '''^build/.*''',
+  '''^coverage/.*''',
+  '''^\.github/workflows/.*''',
+  '''^logs?/.*''',
+  '''^tmp/.*''',
+  '''^\.env.*$'''
+]

setup-hooks.sh

@@ -0,0 +1,52 @@
+#!/bin/sh
+set -e
+
+echo "Setting up Git hooks..."
+
+# Point Git to .githooks directory
+git config core.hooksPath .githooks
+
+# Ensure pre-commit is executable
+chmod +x .githooks/pre-commit
+
+echo "Git hooks installed. Pre-commit scan will now run automatically."
+
+# Check if gitleaks is installed
+if command -v gitleaks >/dev/null 2>&1; then
+  echo "⚡ Gitleaks already installed: $(gitleaks version)"
+  exit 0
+fi
+
+# Install Gitleaks if missing
+VERSION="8.28.0"
+OS=$(uname -s | tr '[:upper:]' '[:lower:]')
+ARCH=$(uname -m)
+
+echo "Installing Gitleaks v$VERSION for $OS-$ARCH..."
+
+case "$OS-$ARCH" in
+  linux-x86_64)
+    URL="https://github.com/gitleaks/gitleaks/releases/download/v$VERSION/gitleaks_${VERSION}_linux_x64.tar.gz"
+    ;;
+  linux-aarch64)
+    URL="https://github.com/gitleaks/gitleaks/releases/download/v$VERSION/gitleaks_${VERSION}_linux_arm64.tar.gz"
+    ;;
+  darwin-arm64)
+    URL="https://github.com/gitleaks/gitleaks/releases/download/v$VERSION/gitleaks_${VERSION}_darwin_arm64.tar.gz"
+    ;;
+  darwin-x86_64)
+    URL="https://github.com/gitleaks/gitleaks/releases/download/v$VERSION/gitleaks_${VERSION}_darwin_x64.tar.gz"
+    ;;
+  *)
+    echo "Unsupported OS/Arch ($OS-$ARCH). Please install manually:"
+    echo "https://github.com/gitleaks/gitleaks/releases/tag/v$VERSION"
+    exit 1
+    ;;
+esac
+
+curl -sSL "$URL" -o gitleaks.tar.gz
+tar -xvzf gitleaks.tar.gz gitleaks
+sudo mv gitleaks /usr/local/bin/
+rm -f gitleaks.tar.gz
+
+echo "Installed Gitleaks v$(gitleaks version)"