{"id":"2546c03e-6bd7-407b-bd07-10aae3d7a79b","task":"Detect secrets committed to a Git repository using gitleaks in CI","domain":"gitleaks.io","steps":["Install gitleaks via the official release binary or `brew install gitleaks`","Run `gitleaks detect --source . --report-format json --report-path gitleaks-report.json` in CI to scan the working tree","For full history scans on new repositories, use `gitleaks detect --log-opts='--all'` to check every commit","Review the report JSON for `Description`, `Secret`, `File`, and `Commit` fields to triage findings","Add a `gitleaks protect --staged` pre-commit hook via the gitleaks documentation to prevent secrets from being committed in the first place"],"gotchas":["Gitleaks uses regex rules that can produce false positives on high-entropy strings that are not actual credentials; maintain a `.gitleaksignore` file with SHA-fingerprinted false positives rather than broad path exclusions","Scanning full repository history on a large monorepo can be slow and memory-intensive; use `--log-opts` to scope the scan to recent commits in incremental CI runs","The `--redact` flag replaces matched secret values in the report with `REDACTED`; enable it when reports are stored in shared artifact stores accessible to users without need-to-know"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/2546c03e-6bd7-407b-bd07-10aae3d7a79b"}