Centralised git hooks for CircuitForge repos — gitleaks secret + PII scanning

Find a file

pyr0ball 481ad4b43e fix: allowlist — add regexTarget=match for global allowlist; allow Python private fn on RHS		2026-04-02 23:40:26 -07:00
hooks	fix(hooks): quote CONFIG_ARG, guard pre-push against empty repos	2026-03-07 12:40:35 -08:00
tests	test: add integration tests for pre-commit and commit-msg hooks	2026-03-07 12:43:28 -08:00
gitleaks.toml	fix: allowlist — add regexTarget=match for global allowlist; allow Python private fn on RHS	2026-04-02 23:40:26 -07:00
install.sh	feat: add install.sh for one-command hook activation	2026-03-07 12:36:18 -08:00
README.md	docs: add README with install and usage instructions	2026-03-07 13:04:49 -08:00

README.md

circuitforge-hooks

Centralised git hooks for all CircuitForge repos.

What it does

pre-commit — scans staged changes for secrets and PII via gitleaks
commit-msg — enforces conventional commit format
pre-push — scans full branch history as a safety net before push

Install

From any CircuitForge product repo root:

bash /Library/Development/CircuitForge/circuitforge-hooks/install.sh

On Heimdall live deploys (/devl/<repo>/), add the same line to the deploy script.

Per-repo allowlists

Create .gitleaks.toml at the repo root to extend the base config:

[extend]
path = "/Library/Development/CircuitForge/circuitforge-hooks/gitleaks.toml"

[allowlist]
regexes = [
    '\d{10}\.html',   # example: Craigslist listing IDs
]

Testing

bash tests/test_hooks.sh

Requirements

gitleaks binary: sudo apt-get install gitleaks
bash 4+

Adding a new rule

Edit gitleaks.toml. Follow the pattern of the existing [[rules]] blocks. Add tests to tests/test_hooks.sh covering both the blocked and allowed cases.