gitleaks

Author: fuxingloh

agents/gitleaks/.gitignore

@@ -0,0 +1,12 @@
+# dependencies
+node_modules
+.pnp
+.pnp.js
+.yarn*
+pnpm-lock.yaml
+
+# aixyz
+.aixyz
+
+# local env files
+.env.local

agents/gitleaks/Dockerfile

@@ -0,0 +1,10 @@
+FROM oven/bun:1 AS build
+WORKDIR /app
+COPY . .
+RUN bun install
+RUN bun run build
+
+FROM oven/bun:1-slim
+WORKDIR /app
+COPY --from=build /app/agents/gitleaks/.aixyz/output .aixyz/output
+CMD ["bun", ".aixyz/output/server.js"]

agents/gitleaks/aixyz.config.ts

@@ -0,0 +1,29 @@
+import type { AixyzConfig } from "aixyz/config";
+
+const config: AixyzConfig = {
+  name: "Gitleaks",
+  description:
+    "Scan code and text for exposed credentials, API keys, tokens, and other secrets. Get detailed findings with rule ID, redacted match, file location, and tags.",
+  version: "1.1.0",
+  url: process.env.RAILWAY_PUBLIC_DOMAIN ? `https://${process.env.RAILWAY_PUBLIC_DOMAIN}` : undefined,
+  x402: {
+    payTo: "0x0799872E07EA7a63c79357694504FE66EDfE4a0A",
+    network: process.env.NODE_ENV === "production" ? "eip155:8453" : "eip155:84532",
+  },
+  skills: [
+    {
+      id: "scan",
+      name: "Secret Scanner",
+      description:
+        "Scan code, configuration files, or text for exposed credentials such as API keys, tokens, private keys, and database connection strings.",
+      tags: ["security", "secrets", "credentials", "scanning"],
+      examples: [
+        "Scan this code for leaked secrets: const apiKey = 'AKIAIOSFODNN7EXAMPLE'",
+        "Check this config file for exposed credentials",
+        "Analyze my .env file for any hardcoded secrets that should be rotated",
+      ],
+    },
+  ],
+};
+
+export default config;

agents/gitleaks/app/erc-8004.ts

@@ -0,0 +1,16 @@
+import type { ERC8004Registration } from "aixyz/erc-8004";
+
+const metadata: ERC8004Registration = {
+  /**
+   * `aixyz erc-8004 register` will write to this field.
+   */
+  registrations: [],
+  supportedTrust: ["reputation"],
+};
+
+/**
+ * Declaring `export default metadata` will expose ERC-8004 metadata at:
+ *
+ * GET /_aixyz/erc-8004.json
+ */
+export default metadata;

agents/gitleaks/app/tools/scan.ts

@@ -0,0 +1,76 @@
+import { tool } from "ai";
+import type { Accepts } from "aixyz/accepts";
+import { z } from "zod";
+
+const GITLEAKS_BASE_URL = process.env.GITLEAKS_BASE_URL ?? "http://gitleaks.railway.internal:8080";
+
+interface GitleaksFinding {
+  Description: string;
+  StartLine: number;
+  EndLine: number;
+  StartColumn: number;
+  EndColumn: number;
+  Match: string;
+  Secret: string;
+  File: string;
+  SymlinkFile: string;
+  Commit: string;
+  Entropy: number;
+  Author: string;
+  Email: string;
+  Date: string;
+  Message: string;
+  Tags: string[];
+  RuleID: string;
+  Fingerprint: string;
+}
+
+function redact(value: string): string {
+  if (value.length <= 8) {
+    return value.slice(0, 2) + "*".repeat(value.length - 2);
+  }
+  const visibleStart = Math.min(4, Math.floor(value.length * 0.15));
+  const visibleEnd = Math.min(4, Math.floor(value.length * 0.15));
+  return value.slice(0, visibleStart) + "*".repeat(value.length - visibleStart - visibleEnd) + value.slice(-visibleEnd);
+}
+
+export const accepts: Accepts = {
+  scheme: "exact",
+  price: "$0.01",
+};
+
+export default tool({
+  description:
+    "Scan text or code for exposed credentials, API keys, tokens, private keys, and other secrets. Returns findings with rule ID, description, redacted secret, line number, and tags.",
+  inputSchema: z.object({
+    text: z.string().describe("The code or text content to scan for exposed secrets."),
+  }),
+  execute: async ({ text }) => {
+    const response = await fetch(`${GITLEAKS_BASE_URL}/scan`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ content: text }),
+    });
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      throw new Error(`Scan service error (${response.status}): ${errorText}`);
+    }
+
+    const raw: GitleaksFinding[] = await response.json();
+
+    const findings = raw.map((f) => ({
+      ruleId: f.RuleID,
+      description: f.Description,
+      match: redact(f.Secret || f.Match),
+      startLine: f.StartLine,
+      endLine: f.EndLine,
+      tags: f.Tags ?? [],
+    }));
+
+    return {
+      totalFindings: findings.length,
+      findings,
+    };
+  },
+});

agents/gitleaks/package.json

@@ -0,0 +1,18 @@
+{
+  "name": "gitleaks",
+  "private": true,
+  "scripts": {
+    "build": "aixyz build",
+    "dev": "aixyz dev"
+  },
+  "dependencies": {
+    "ai": "^6",
+    "aixyz": "0.31.0",
+    "zod": "^4"
+  },
+  "devDependencies": {
+    "@types/bun": "^1",
+    "typescript": "^5",
+    "use-agently": "latest"
+  }
+}

agents/gitleaks/tsconfig.json

@@ -0,0 +1,10 @@
+{
+  "compilerOptions": {
+    "target": "ESNext",
+    "module": "NodeNext",
+    "moduleResolution": "bundler",
+    "strict": true,
+    "skipLibCheck": true,
+    "types": ["bun"]
+  }
+}