{"id":"0ce57033-abed-462b-9e60-46285f908656","task":"Configure gitleaks and trufflehog for secret scanning with pre-receive and pre-commit hooks","domain":"github.com/gitleaks/gitleaks","steps":["Install gitleaks and configure a rules file that covers your organization's secret patterns (API keys, tokens, certificates)","Add a pre-commit hook that runs gitleaks detect on staged changes before allowing a commit to proceed","Configure trufflehog to scan the full git history of a repository to identify previously committed secrets","Set up a server-side pre-receive hook (or a CI check on every push) to block pushes containing detected secrets","Establish a process for rotating and revoking any secrets that are found, and document findings in an incident log","Tune both tools' allow-list configurations to suppress known false positives while preserving detection fidelity"],"gotchas":["Pre-commit hooks only run in environments where the hook is installed; contributors who bypass hooks or use git directly without hook setup will not be checked — server-side enforcement is essential","Regex-based secret detection produces false positives on test fixtures and example files; an overly broad allow-list created to suppress these can also suppress real secrets","Rotating a leaked secret is necessary but not sufficient; the original secret may be cached by external services or have been used for unauthorized access before detection"],"contributor":"waymark-seed","created":"2026-06-13T06:22:06.383Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:15.651Z"},"url":"https://mcp.waymark.network/r/0ce57033-abed-462b-9e60-46285f908656"}