Skip to content

HYPERFLEET-1019 - docs: add LeakTK secret scanning to pre-commit hooks #139

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ldornele wants to merge 1 commit into
base: main
Choose a base branch
from
+186 −3
Open

HYPERFLEET-1019 - docs: add LeakTK secret scanning to pre-commit hooks #139

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
189 changes: 186 additions & 3 deletions hyperfleet/docs/pre-commit-hooks.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
Status: Active
Owner: HyperFleet Platform Team
Last Updated: 2026-04-27
Last Updated: 2026-05-14
---

# Pre-Commit Hooks Setup Guide
Expand All @@ -24,7 +24,7 @@ Last Updated: 2026-04-27

## Overview

HyperFleet uses a **centralized hook registry** at [`hyperfleet-hooks`](https://github.com/openshift-hyperfleet/hyperfleet-hooks) to enforce consistent commit message format and code quality across all repositories. The [pre-commit](https://pre-commit.com/) framework automatically downloads, builds, and caches hook binaries — no manual installation of individual tools is required.
HyperFleet uses a **centralized hook registry** at [`hyperfleet-hooks`](https://github.com/openshift-hyperfleet/hyperfleet-hooks) to enforce consistent commit message format and code quality across all repositories. Additionally, **LeakTK** provides secret scanning to prevent credentials and API keys from being committed. The [pre-commit](https://pre-commit.com/) framework automatically downloads, builds, and caches hook binaries — no manual installation of individual tools is required.

### How It Works

Expand Down Expand Up @@ -53,13 +53,21 @@ When a developer runs `git commit`, the pre-commit framework intercepts the oper
pip install pre-commit
```

- Go 1.25+ (for the `commitlint` hook — built automatically by pre-commit on first run)
- Go 1.25+ (for the `commitlint` hook and LeakTK secret scanning — both built automatically by pre-commit on first run)
- `btrfs-progs-devel` (Fedora/RHEL) for LeakTK compilation:

```bash
sudo dnf install btrfs-progs-devel
```

- `make` targets (`lint`, `gofmt`, `go-vet`) in the consuming repo (for Go tooling hooks)

---

## Available Hooks

### HyperFleet Hooks

All hooks are defined in the [`hyperfleet-hooks`](https://github.com/openshift-hyperfleet/hyperfleet-hooks) repository:

| Hook ID | Stage | Language | Description |
Expand All @@ -71,6 +79,22 @@ All hooks are defined in the [`hyperfleet-hooks`](https://github.com/openshift-h

The Go tooling hooks use `language: system` and delegate to existing Make targets rather than reimplementing tool resolution. This leverages each repo's [bingo](https://github.com/bwplotka/bingo)-managed tool versions (see [dependency pinning standard](https://github.com/openshift-hyperfleet/architecture/blob/main/hyperfleet/standards/dependency-pinning.md)).

### Secret Scanning Hook

**LeakTK** provides secret scanning to prevent credentials, API keys, and other secrets from being committed:

| Hook ID | Stage | Language | Description |
|---------|-------|----------|-------------|
| `leaktk.git.pre-commit` | `pre-commit` | `golang` | LeakTK: Scans staged files for secrets using Gitleaks engine with Red Hat-specific patterns |

**Key features**:
- ✅ **Open-source** — no VPN requirement, works for all contributors
- ✅ **Developed by Red Hat InfoSec** — same team that created rh-pre-commit
- ✅ **Gitleaks-powered** — uses proven secret detection patterns
- ⏱️ **First-time compilation** — takes 3-5 minutes on first commit, then cached

See the [Secret Scanning Migration](#secret-scanning-migration-rh-pre-commit-leaktk) section for migration details.

---

## Standard Configuration
Expand All @@ -83,6 +107,13 @@ All HyperFleet repositories **SHOULD** use the same `.pre-commit-config.yaml`. T
default_install_hook_types: [pre-commit, commit-msg]

repos:
# Secret scanning
- repo: https://github.com/leaktk/leaktk
rev: v0.3.2 # Check https://github.com/leaktk/leaktk/releases for latest
hooks:
- id: leaktk.git.pre-commit

# HyperFleet code quality hooks
- repo: https://github.com/openshift-hyperfleet/hyperfleet-hooks
rev: v0.1.1 # pin to a specific tag
hooks:
Expand All @@ -105,10 +136,20 @@ The file hygiene hooks (`trailing-whitespace`, `end-of-file-fixer`, `check-added

> **Note:** `default_install_hook_types: [pre-commit, commit-msg]` means a single `pre-commit install` command installs hooks for **both** the `pre-commit` and `commit-msg` stages. Without this setting, you would need to run `pre-commit install --hook-type commit-msg` separately to enable commit message validation.

> **Important:** On the **first commit** after running `make install-hooks`, LeakTK will compile from source (3-5 minutes). Subsequent commits use the cached binary and run instantly.

---

## Migration Guide

This section covers two migration scenarios:
1. **Adding Pre-commit Hooks** — adding hooks to an existing HyperFleet repository
2. **Secret Scanning Migration** — migrating from rh-pre-commit to LeakTK

---

### Adding Pre-commit Hooks to a Repository
Copy link
Copy Markdown
Contributor

@rafabene rafabene May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tip

nit — non-blocking suggestion

Category: Inconsistency

This heading is at ### (h3) — the same level as the ### Step 1: through ### Step 7: below it, making them siblings instead of children. By contrast, the new ### Secret Scanning Migration section properly nests its children at #### (h4).

Consider changing the Step headings below to #### to nest them under this wrapper, matching the pattern used in the Secret Scanning Migration section.


Follow these steps to add pre-commit hooks to an existing HyperFleet repository.

### Step 1: Add `.pre-commit-config.yaml`
Expand Down Expand Up @@ -204,6 +245,119 @@ git commit -m "HYPERFLEET-XXX - chore: add pre-commit hooks"

---

### Secret Scanning Migration: rh-pre-commit → LeakTK

#### Why Migrate to LeakTK?

[**LeakTK**](https://github.com/leaktk/leaktk) is an open-source secret scanning toolkit developed by Red Hat's Information Security team — the same team that created rh-pre-commit.

**Key benefits over rh-pre-commit**:
- ✅ **No VPN requirement** — works for Red Hat associates and external contributors
- ✅ **Open-source** — MIT licensed, publicly accessible on GitHub
- ✅ **Can be committed to repos** — configuration lives in repository files
- ✅ **Enforces on all developers** — configuration in repo ensures everyone uses it
- ✅ **Same detection engine** — both use Gitleaks with Red Hat-specific patterns (verified by InfoSec team)

#### Comparison: rh-pre-commit vs LeakTK

Both tools perform secret scanning using Gitleaks as the underlying engine. Here are the key differences:

| Feature | rh-pre-commit | LeakTK |
|---------|--------------|---------|
| **Secret scanning** | ✅ Gitleaks engine | ✅ Gitleaks engine |
| **Red Hat patterns** | ✅ Customized patterns | ✅ Customized patterns |
| **VPN required** | ⚠️ Only during installation | ❌ Never |
| **Open-source** | ❌ Internal Red Hat tool | ✅ Public GitHub repository |
| **Installation** | ✅ Pre-built binary | ⚠️ Compiles from source (first time only) |


#### Migration Steps

**Step 1: Ensure system requirements**

Verify that all team members have Go 1.25+ and btrfs-progs-devel installed:

```bash
go version # Should show 1.25.0 or later

# Fedora/RHEL
sudo dnf install btrfs-progs-devel

# Ubuntu/Debian
sudo apt install libbtrfs-dev
```

Or via Homebrew on macOS:

```bash
brew install btrfs-progs
```
Comment on lines +290 to +294
Copy link
Copy Markdown
Contributor

@rafabene rafabene May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Warning

Blocking

Category: Bug

brew install btrfs-progs doesn't exist on Homebrew — btrfs is a Linux-only filesystem (verified with brew search btrfs).

Per LeakTK's own build docs, btrfs-progs-devel is only needed when CGO_ENABLED=1. Setting CGO_ENABLED=0 removes the system dependency entirely and is the simplest path, especially for macOS.

Consider restructuring the prerequisite and migration sections to:

  1. Recommend CGO_ENABLED=0 as the default (no system deps needed, works on all platforms)
  2. Keep the btrfs-progs-devel / libbtrfs-dev instructions as a fallback for those who need CGO enabled
  3. Remove the macOS brew install btrfs-progs instruction entirely
# Example: if using pre-commit and CGO_ENABLED=1, install btrfs headers
# Fedora/RHEL: sudo dnf install btrfs-progs-devel
# Ubuntu/Debian: sudo apt install libbtrfs-dev
# macOS: set CGO_ENABLED=0 (no btrfs package available)


**Step 2: Update `.pre-commit-config.yaml`**

Replace the rh-pre-commit configuration with LeakTK:

```yaml
# Before (rh-pre-commit)
repos:
- repo: https://gitlab.cee.redhat.com/infosec-public/developer-workbench/tools
rev: rh-pre-commit-2.3.2
hooks:
- id: rh-pre-commit

# After (LeakTK)
repos:
- repo: https://github.com/leaktk/leaktk
rev: v0.3.2 # Check https://github.com/leaktk/leaktk/releases for latest
hooks:
- id: leaktk.git.pre-commit
```

**Step 3: Notify team**

Inform all developers that:
1. System requirements must be met (Go 1.25+, btrfs-progs-devel)
2. They should reinstall hooks: `make install-hooks`
3. The **first commit** will take 3-5 minutes (one-time compilation)
4. Subsequent commits will run instantly (cached binary)

Comment on lines +316 to +323
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add explicit CI/CD migration steps, not only developer-local steps.

The migration section says to notify developers, but it omits how CI jobs should install LeakTK prerequisites and run pre-commit after replacing rh-pre-commit. Since this migration affects shared enforcement, missing CI guidance creates inconsistent policy enforcement across repos.

Suggested doc addition 
 **Step 3: Notify team**

 Inform all developers that:
 1. System requirements must be met (Go 1.25+, btrfs-progs-devel)
 2. They should reinstall hooks: `make install-hooks`
 3. The **first commit** will take 3-5 minutes (one-time compilation)
 4. Subsequent commits will run instantly (cached binary)
+
+Also update CI pipelines that run pre-commit:
+- Install LeakTK build prerequisites in CI images/runners (Go + btrfs headers).
+- Run `pre-commit run --all-files` (or your repo-standard pre-commit target) in CI.
+- Pin the same `.pre-commit-config.yaml` revision used by developers to keep local/CI behavior identical.

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity. Validate changes against HyperFleet architecture standards from the linked architecture repository."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
**Step 3: Notify team**
Inform all developers that:
1. System requirements must be met (Go 1.25+, btrfs-progs-devel)
2. They should reinstall hooks: `make install-hooks`
3. The **first commit** will take 3-5 minutes (one-time compilation)
4. Subsequent commits will run instantly (cached binary)
**Step 3: Notify team**
Inform all developers that:
1. System requirements must be met (Go 1.25+, btrfs-progs-devel)
2. They should reinstall hooks: `make install-hooks`
3. The **first commit** will take 3-5 minutes (one-time compilation)
4. Subsequent commits will run instantly (cached binary)
Also update CI pipelines that run pre-commit:
- Install LeakTK build prerequisites in CI images/runners (Go + btrfs headers).
- Run `pre-commit run --all-files` (or your repo-standard pre-commit target) in CI.
- Pin the same `.pre-commit-config.yaml` revision used by developers to keep local/CI behavior identical.
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hyperfleet/docs/pre-commit-hooks.md` around lines 316 - 323, Update the
migration doc to include CI/CD steps so repos continue enforcing hooks:
explicitly instruct CI pipelines to install LeakTK prerequisites (Go 1.25+ and
btrfs-progs-devel), build the LeakTK/pre-commit binary (same build used by
developers) and cache it between jobs, replace references to rh-pre-commit with
the new built pre-commit binary invocation, and add a CI step that runs the
pre-commit binary (mirroring the developer `make install-hooks` behavior) while
noting the one-time compilation cost and how to use pipeline cache to avoid it;
reference the terms rh-pre-commit, LeakTK, make install-hooks, and pre-commit in
the doc so maintainers can locate and update pipeline configs accordingly.

**Step 4: Commit the migration**

```bash
git add .pre-commit-config.yaml
git commit -m "HYPERFLEET-XXX - chore: migrate from rh-pre-commit to LeakTK"
```

#### What Changes After Migration

**During development**:
```bash
# First commit after migration (one-time)
git commit -m "feat: add feature"
# LeakTK compiles (3-5 minutes), then scans
# ✅ Commit succeeds if no secrets found

# All subsequent commits
git commit -m "feat: another feature"
# LeakTK uses cached binary (instant)
```

**Example output when a secret is detected**:
```text
leaktk.git.pre-commit
┌─────────────────────────────────────────────────────────────────────────────┐
│ 1 secret(s) detected in staged files │
├─────────────────────────────────────────────────────────────────────────────┤
│ config/database.yml:12 │
│ Password = "admin123" # Generic Password │
└─────────────────────────────────────────────────────────────────────────────┘
```

The commit will be blocked until secrets are removed.

---


## Troubleshooting

### `pre-commit: command not found`
Expand All @@ -229,6 +383,32 @@ Your Makefile needs the `gofmt` alias. Add it pointing to your existing formatti
gofmt: fmt ## Alias for fmt
```

### LeakTK compilation fails with "Go version too old"

LeakTK requires Go 1.25+:

```bash
# Check version
go version

# Update (Fedora/RHEL)
sudo dnf update golang

# Or download from https://go.dev/dl/
```

### LeakTK compilation fails with "btrfs/ioctl.h: No such file or directory"

Install the btrfs development headers:

```bash
sudo dnf install btrfs-progs-devel
```

### First commit takes 3-5 minutes

This is **expected behavior** on the first commit after installing LeakTK. The pre-commit framework is compiling LeakTK from source. Subsequent commits will use the cached binary and run instantly.

### Hook runs but uses wrong tool version

Pre-commit caches hook environments. Clear the cache and reinstall:
Expand Down Expand Up @@ -274,3 +454,6 @@ This updates the `rev` field in `.pre-commit-config.yaml` to the latest tag.
- [pre-commit documentation](https://pre-commit.com/)
- [hyperfleet-hooks repository](https://github.com/openshift-hyperfleet/hyperfleet-hooks)
- [Sentinel pilot PR (hyperfleet-sentinel#102)](https://github.com/openshift-hyperfleet/hyperfleet-sentinel/pull/102) — reference implementation
- [LeakTK GitHub Repository](https://github.com/leaktk/leaktk)
- [Git Hooks Installation Guide](https://github.com/leaktk/leaktk/blob/main/docs/install_git_hooks.md)
- [PR #248 - pre-commit.com integration](https://github.com/leaktk/leaktk/pull/248) ✅ Merged 2026-05-13