feat: add gitleaks to prek pre-commit hooks and makefile

[newtob]

Many folk find secrets sneak into code bases without notice. To eradicate these problems before they are committed prek is amazing.

This MR uses prek to catch secrets before they are committed.

Summary by CodeRabbit

• Chores
  • Added a new public "secrets" command entry to streamline secret scanning from the repo.
  • Hardened secret scanner behavior with stricter performance limits and more verbose, cleaner output.
  • Added local pre-commit hooks: an automatic type checker and a pre-commit secret scan to catch issues before commits.

[ritwiktiwari]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new Makefile secrets target and augments pre-commit template with local hooks: a Python type-checker hook and a gitleaks secret-scan hook. gitleaks invocation now includes --no-banner, --timeout 60s, --max-target-megabytes=2, -v, plus staged-file handling in the hook.

Changes

Cohort / File(s)	Summary
Makefile Makefile	Added secrets to .PHONY and updated the secrets target command: gitleaks detect --redact 80 --no-banner --timeout 60s --max-target-megabytes=2 -v.
Pre-commit template template/{% if include_prek %}.pre-commit-config.yaml{% endif %}.jinja	Added two local hooks: a ty type-checker (entry uv run ty check) and a gitleaks secret-scan hook (primary gitleaks command plus a shell fallback to locate gitleaks). Includes comments about path resolution, redaction, fingerprinting, and ignoring false positives.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I sniff the code where secrets hide,

With gitleaks now set at my side,
Timeout steady, banners gone,
Two megabytes — I hop on! 🥕🔐

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: adding gitleaks to both the prek pre-commit hooks and the Makefile, which aligns perfectly with the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can customize the high-level summary generated by CodeRabbit.

Configure the reviews.high_level_summary_instructions setting to provide custom instructions for generating the high-level summary.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Makefile (1)

1-1: ⚠️ Potential issue | 🟡 Minor

Add secrets to .PHONY declaration.

The secrets target (line 40) is not included in the .PHONY declaration. Since it doesn't create a file named secrets, it should be declared as phony to ensure it always runs when invoked.

🔧 Proposed fix

-.PHONY: verify fix lint format type-check install test docs docs-serve
+.PHONY: verify fix lint format type-check install test docs docs-serve secrets pysentry

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` at line 1, Add the missing phony target by including "secrets" in
the .PHONY declaration so Make treats the secrets target as always-executed;
update the existing .PHONY line that currently lists "verify fix lint format
type-check install test docs docs-serve" to also include the "secrets" symbol to
match the secrets target definition elsewhere in the Makefile.

🧹 Nitpick comments (2)

Makefile (1)

40-41: Same timeout concern applies here; also minor style inconsistency.

The 2-second timeout may be insufficient for scanning larger codebases. Consider increasing it to 30-60 seconds for more thorough scanning.

Minor: The --redact 80 syntax here differs from --redact=80 in the pre-commit config. While both work, using consistent syntax across configurations improves maintainability.

📝 Suggested alignment with pre-commit syntax

 secrets:
-	gitleaks detect --redact 80 --no-banner --timeout 2 --max-target-megabytes=2 -v
+	gitleaks detect --redact=80 --no-banner --timeout=30 --max-target-megabytes=2 -v

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` around lines 40 - 41, Increase the gitleaks timeout and align flag
syntax in the Makefile 'secrets' target: change the timeout from 2 seconds to a
more realistic 30–60 seconds (e.g., 30s) and use consistent flag syntax
`--redact=80` to match the pre-commit configuration; update the 'secrets' recipe
invocation of gitleaks accordingly so scans have enough time and flags are
consistent across configs.

template/{% if include_prek %}.pre-commit-config.yaml{% endif %}.jinja (1)

25-26: Comment placement creates confusion.

The comment on line 26 describing Gitleaks is placed between the "ty" comment and the - repo: local declaration. Consider reorganizing the comments to clearly associate each description with its respective hook, or use a single comment block describing all local hooks.

📝 Suggested reorganization

-  # ty - Astral's type checker (local hook since no prek repo yet)
-  # Gitleaks - a tool for detecting secrets like passwords, API keys, and tokens
+  # Local hooks
   - repo: local
     hooks:
+      # ty - Astral's type checker (local hook since no prek repo yet)
       - id: ty
         name: ty type checker
         entry: uv run ty check
         language: system
         types: [python]
         pass_filenames: false
+      # Gitleaks - a tool for detecting secrets like passwords, API keys, and tokens
       - id: gitleaks

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@template/`{% if include_prek %}.pre-commit-config.yaml{% endif %}.jinja
around lines 25 - 26, The inline comment describing Gitleaks is misplaced
between the "ty - Astral's type checker" comment and the `- repo: local`
declaration, causing confusion; move or merge comments so each description
clearly applies to its hook: either place the "ty - Astral's type checker"
comment immediately above the `- repo: local` block that defines that hook and
put the Gitleaks description directly above the Gitleaks hook, or replace both
with a single descriptive comment block before the `- repo: local` section
explaining that the following local hooks include ty (Astral type checker) and
Gitleaks (secret scanning).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@template/`{% if include_prek %}.pre-commit-config.yaml{% endif %}.jinja:
- Line 37: Replace the invalid and too-short timeout flag in the gitleaks
pre-commit entry: change the CLI token "--timeout 2" to a valid Go duration and
a more realistic value, e.g. "--timeout 30s" (so the entry containing "gitleaks
git --redact=80 --no-banner --timeout 2 -v ..." becomes "gitleaks git
--redact=80 --no-banner --timeout 30s -v ..."); keep the other flags (e.g.
--redact=80, --no-banner, --pre-commit, --staged) unchanged.

---

Outside diff comments:
In `@Makefile`:
- Line 1: Add the missing phony target by including "secrets" in the .PHONY
declaration so Make treats the secrets target as always-executed; update the
existing .PHONY line that currently lists "verify fix lint format type-check
install test docs docs-serve" to also include the "secrets" symbol to match the
secrets target definition elsewhere in the Makefile.

---

Nitpick comments:
In `@Makefile`:
- Around line 40-41: Increase the gitleaks timeout and align flag syntax in the
Makefile 'secrets' target: change the timeout from 2 seconds to a more realistic
30–60 seconds (e.g., 30s) and use consistent flag syntax `--redact=80` to match
the pre-commit configuration; update the 'secrets' recipe invocation of gitleaks
accordingly so scans have enough time and flags are consistent across configs.

In `@template/`{% if include_prek %}.pre-commit-config.yaml{% endif %}.jinja:
- Around line 25-26: The inline comment describing Gitleaks is misplaced between
the "ty - Astral's type checker" comment and the `- repo: local` declaration,
causing confusion; move or merge comments so each description clearly applies to
its hook: either place the "ty - Astral's type checker" comment immediately
above the `- repo: local` block that defines that hook and put the Gitleaks
description directly above the Gitleaks hook, or replace both with a single
descriptive comment block before the `- repo: local` section explaining that the
following local hooks include ty (Astral type checker) and Gitleaks (secret
scanning).

[newtob]

All refinements implemented:

• Makefile improved with the new entries in .PHONY
• prek comments enhanced
• gitleaks timeout extended
  And as an added bonus found in testing with my team:
• gitleaks path identification improved

Pipeline fails in the extensions.py, a file unchanged by this PR.
Unsure why failing, or how to fix. Please help!

@ritwiktiwari your help would be appreciated!

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

Makefile (1)

1-1: Consider adding conventional all and clean targets.

Static analysis (checkmake) flags missing all and clean phony targets. These are common Makefile conventions but not strictly required for this project's workflow. You could add them if desired:

all: verify

clean:
	`@echo` "No build artifacts to clean"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` at line 1, The Makefile is missing conventional phony targets "all"
and "clean" which static analysis (checkmake) expects; add targets named all and
clean and include them in the .PHONY list alongside existing targets (e.g.,
.PHONY: verify fix lint ...), implement all as a shortcut to the primary
build/test entry (e.g., make all should run the existing verify target) and add
a harmless clean target (e.g., printing "No build artifacts to clean" or a
no-op) so checkmake and users see standard behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Makefile`:
- Around line 39-41: The Makefile target "secrets" runs gitleaks with --timeout
60s while the pre-commit bash wrapper in template/{% if include_prek
%}.pre-commit-config.yaml{% endif %}.jinja uses --timeout 2 causing inconsistent
behavior; update the --timeout value so both places match (pick one canonical
value, e.g., change the pre-commit wrapper's --timeout from 2 to 60 or change
the Makefile's --timeout to 2) by editing the gitleaks invocation in the
"secrets" Makefile target and the gitleaks invocation in the pre-commit template
to use the same timeout string (including the 's' suffix if using seconds).

---

Nitpick comments:
In `@Makefile`:
- Line 1: The Makefile is missing conventional phony targets "all" and "clean"
which static analysis (checkmake) expects; add targets named all and clean and
include them in the .PHONY list alongside existing targets (e.g., .PHONY: verify
fix lint ...), implement all as a shortcut to the primary build/test entry
(e.g., make all should run the existing verify target) and add a harmless clean
target (e.g., printing "No build artifacts to clean" or a no-op) so checkmake
and users see standard behavior.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b17f71e4-c08d-4eea-8a8a-786eeb16d521

📥 Commits

Reviewing files that changed from the base of the PR and between 24fce59 and 40bc22b.

📒 Files selected for processing (2)

• Makefile
• template/{% if include_prek %}.pre-commit-config.yaml{% endif %}.jinja

🚧 Files skipped from review as they are similar to previous changes (1)

• template/{% if include_prek %}.pre-commit-config.yaml{% endif %}.jinja

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Timeout inconsistency with pre-commit configuration.

The Makefile uses --timeout 60s, but the pre-commit bash wrapper in template/{% if include_prek %}.pre-commit-config.yaml{% endif %}.jinja (line 42) uses --timeout 2 (2 seconds). This 30x difference could cause the pre-commit hook to timeout on larger repositories while the Makefile succeeds.

Please align the timeout values across both configurations for consistent behavior.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` around lines 39 - 41, The Makefile target "secrets" runs gitleaks
with --timeout 60s while the pre-commit bash wrapper in template/{% if
include_prek %}.pre-commit-config.yaml{% endif %}.jinja uses --timeout 2 causing
inconsistent behavior; update the --timeout value so both places match (pick one
canonical value, e.g., change the pre-commit wrapper's --timeout from 2 to 60 or
change the Makefile's --timeout to 2) by editing the gitleaks invocation in the
"secrets" Makefile target and the gitleaks invocation in the pre-commit template
to use the same timeout string (including the 's' suffix if using seconds).