HYPERFLEET-1019 - docs: add LeakTK secret scanning to pre-commit hooks

[ldornele]

Summary

Adds comprehensive documentation for LeakTK secret scanning as the recommended replacement for rh-pre-commit in HyperFleet repositories. LeakTK is an open-source secret scanning toolkit developed by Red Hat's
InfoSec team that removes VPN requirements while maintaining the same Gitleaks-based detection with Red Hat-specific patterns.

Changes Made

Documentation Updates

• Added LeakTK secret scanning hook section

  • Hook configuration table with leaktk.git.pre-commit details
  • Key features comparison (open-source, no VPN, Gitleaks-powered)
  • System requirements (Go 1.25+, btrfs-progs-devel)

• Added migration guide: rh-pre-commit → LeakTK

  • Rationale for migration (VPN independence, open-source, enforceability)
  • Comparison table showing feature parity
  • Step-by-step migration instructions
  • Expected behavior and example output

• Updated standard configuration

  • Added LeakTK repo to .pre-commit-config.yaml template
  • Placed secret scanning before code quality hooks
  • Updated prerequisites section with new dependencies

• Added troubleshooting sections

  • Go version compatibility issues
  • btrfs-progs-devel installation
  • First-time compilation expectations (3-5 minutes)

• Updated metadata

  • Last Updated: 2026-05-14

New References

• LeakTK GitHub Repository
• Git Hooks Installation Guide
• PR #248 - pre-commit.com integration ✅ Merged 2026-05-13

Why This Change?

Benefits of LeakTK over rh-pre-commit

1. No VPN requirement — works for all contributors (Red Hat associates and external)
2. Open-source — MIT licensed, publicly accessible on GitHub
3. Can be committed to repos — configuration lives in repository files, ensuring consistent enforcement
4. Same security — uses Gitleaks engine with Red Hat-specific patterns (verified by InfoSec team)

Trade-offs

• First-time compilation: 3-5 minutes on first commit (one-time cost, then cached)
• System dependency: Requires btrfs-progs-devel for compilation

Migration Impact

Who is affected?

• All HyperFleet contributors setting up pre-commit hooks
• Existing developers who need to migrate from rh-pre-commit
• CI/CD pipelines that use pre-commit hooks

Action Required

For new repositories: Use the updated .pre-commit-config.yaml template from this documentation.

For existing repositories using rh-pre-commit: Follow the migration guide in the "Secret Scanning Migration" section.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign rafabene for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Documentation
  • Updated pre-commit hooks documentation with LeakTK-based secret scanning guidance
  • Added comprehensive migration guide for transitioning to LeakTK from previous setup
  • Expanded prerequisites section with Go 1.25+ and btrfs tooling requirements
  • Enhanced troubleshooting section with LeakTK compilation failure scenarios and solutions

Walkthrough

This pull request updates the pre-commit hooks documentation to introduce LeakTK as the new secret scanning solution. The changes expand prerequisites to include Go 1.25+ and btrfs development headers, add a new "Secret Scanning Hook" section describing the LeakTK hook, include a LeakTK repository block in the standard .pre-commit-config.yaml example, document the expected compilation time on the first commit, provide a comprehensive migration guide for teams currently using rh-pre-commit, extend the troubleshooting section with LeakTK-specific issues, and update references with relevant LeakTK links.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically summarizes the main change—adding LeakTK secret scanning documentation to the pre-commit hooks guide.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, explaining the LeakTK documentation additions, migration guidance, system requirements, and rationale.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hyperfleet/docs/pre-commit-hooks.md`:
- Around line 316-323: Update the migration doc to include CI/CD steps so repos
continue enforcing hooks: explicitly instruct CI pipelines to install LeakTK
prerequisites (Go 1.25+ and btrfs-progs-devel), build the LeakTK/pre-commit
binary (same build used by developers) and cache it between jobs, replace
references to rh-pre-commit with the new built pre-commit binary invocation, and
add a CI step that runs the pre-commit binary (mirroring the developer `make
install-hooks` behavior) while noting the one-time compilation cost and how to
use pipeline cache to avoid it; reference the terms rh-pre-commit, LeakTK, make
install-hooks, and pre-commit in the doc so maintainers can locate and update
pipeline configs accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 2fef7d4f-54d0-423e-96e1-045f3c18332a

📥 Commits

Reviewing files that changed from the base of the PR and between f1ac5a4 and 74f5eec.

📒 Files selected for processing (1)

• hyperfleet/docs/pre-commit-hooks.md

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add explicit CI/CD migration steps, not only developer-local steps.

The migration section says to notify developers, but it omits how CI jobs should install LeakTK prerequisites and run pre-commit after replacing rh-pre-commit. Since this migration affects shared enforcement, missing CI guidance creates inconsistent policy enforcement across repos.

Suggested doc addition

 **Step 3: Notify team**

 Inform all developers that:
 1. System requirements must be met (Go 1.25+, btrfs-progs-devel)
 2. They should reinstall hooks: `make install-hooks`
 3. The **first commit** will take 3-5 minutes (one-time compilation)
 4. Subsequent commits will run instantly (cached binary)
+
+Also update CI pipelines that run pre-commit:
+- Install LeakTK build prerequisites in CI images/runners (Go + btrfs headers).
+- Run `pre-commit run --all-files` (or your repo-standard pre-commit target) in CI.
+- Pin the same `.pre-commit-config.yaml` revision used by developers to keep local/CI behavior identical.

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity. Validate changes against HyperFleet architecture standards from the linked architecture repository."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	**Step 3: Notify team**
	Inform all developers that:
	1. System requirements must be met (Go 1.25+, btrfs-progs-devel)
	2. They should reinstall hooks: `make install-hooks`
	3. The **first commit** will take 3-5 minutes (one-time compilation)
	4. Subsequent commits will run instantly (cached binary)
	**Step 3: Notify team**
	Inform all developers that:
	1. System requirements must be met (Go 1.25+, btrfs-progs-devel)
	2. They should reinstall hooks: `make install-hooks`
	3. The **first commit** will take 3-5 minutes (one-time compilation)
	4. Subsequent commits will run instantly (cached binary)
	Also update CI pipelines that run pre-commit:
	- Install LeakTK build prerequisites in CI images/runners (Go + btrfs headers).
	- Run `pre-commit run --all-files` (or your repo-standard pre-commit target) in CI.
	- Pin the same `.pre-commit-config.yaml` revision used by developers to keep local/CI behavior identical.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hyperfleet/docs/pre-commit-hooks.md` around lines 316 - 323, Update the
migration doc to include CI/CD steps so repos continue enforcing hooks:
explicitly instruct CI pipelines to install LeakTK prerequisites (Go 1.25+ and
btrfs-progs-devel), build the LeakTK/pre-commit binary (same build used by
developers) and cache it between jobs, replace references to rh-pre-commit with
the new built pre-commit binary invocation, and add a CI step that runs the
pre-commit binary (mirroring the developer `make install-hooks` behavior) while
noting the one-time compilation cost and how to use pipeline cache to avoid it;
reference the terms rh-pre-commit, LeakTK, make install-hooks, and pre-commit in
the doc so maintainers can locate and update pipeline configs accordingly.

[rafabene]

Warning

Blocking

Category: Bug

brew install btrfs-progs doesn't exist on Homebrew — btrfs is a Linux-only filesystem (verified with brew search btrfs).

Per LeakTK's own build docs, btrfs-progs-devel is only needed when CGO_ENABLED=1. Setting CGO_ENABLED=0 removes the system dependency entirely and is the simplest path, especially for macOS.

Consider restructuring the prerequisite and migration sections to:

1. Recommend CGO_ENABLED=0 as the default (no system deps needed, works on all platforms)
2. Keep the btrfs-progs-devel / libbtrfs-dev instructions as a fallback for those who need CGO enabled
3. Remove the macOS brew install btrfs-progs instruction entirely

# Example: if using pre-commit and CGO_ENABLED=1, install btrfs headers
# Fedora/RHEL: sudo dnf install btrfs-progs-devel
# Ubuntu/Debian: sudo apt install libbtrfs-dev
# macOS: set CGO_ENABLED=0 (no btrfs package available)

[rafabene]

Tip

nit — non-blocking suggestion

Category: Inconsistency

This heading is at ### (h3) — the same level as the ### Step 1: through ### Step 7: below it, making them siblings instead of children. By contrast, the new ### Secret Scanning Migration section properly nests its children at #### (h4).

Consider changing the Step headings below to #### to nest them under this wrapper, matching the pattern used in the Secret Scanning Migration section.