added gitleaks security scan

Author: mpsc0x

.github/actions/install-aptos-cli/action.yml

@@ -5,7 +5,7 @@ inputs:
   version:
     description: "Aptos CLI version to install"
     required: true
-    default: "7.2.0"
+    default: "7.7.0"
 
 runs:
   using: "composite"
@@ -37,7 +37,7 @@ runs:
         fi
 
         # Download & Install
-        URL="https://github.com/aptos-labs/aptos-core/releases/download/aptos-cli-v${VERSION}/${FILENAME}"
+        URL="https://github.com/aptos-labs/aptos-core/releases/tag/aptos-cli-v${VERSION}/${FILENAME}"
         echo "Downloading Aptos CLI from $URL"
         curl -sL "$URL" -o aptos-cli.zip
         unzip aptos-cli.zip

.github/workflows/doc.yml

@@ -38,7 +38,7 @@ jobs:
       - name: Install Aptos CLI
         uses: ./.github/actions/install-aptos-cli
         with:
-          version: "6.2.0"
+          version: "7.7.0"
       - name: Run Aptos Create Local Testnet
         run: |
           make local-testnet &

.github/workflows/security-scan.yml

@@ -20,9 +20,9 @@ jobs:
       - name: TruffleHog OSS Secret Scanning
         uses: trufflesecurity/trufflehog@main
         with:
-        # Scan the entire repository
+          # Scan the entire repository
           path: ./
-        # Only show verified secrets and unknown (high confidence)
+          # Only show verified secrets and unknown (high confidence)
           extra_args: --results=verified,unknown
 
       - name: Setup Python for detect-secrets
@@ -79,6 +79,45 @@ jobs:
 
           echo "✅ Custom secret checks passed!"
 
+      # ---- Gitleaks CLI pinned to 8.28.0 (no SARIF) ----
+      - name: Download Gitleaks v8.28.0 (linux_x64) + verify checksum
+        env:
+          GITLEAKS_VERSION: "8.28.0"
+        run: |
+          set -euo pipefail
+          TAR="gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
+          BASE="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}"
+          curl -sSL "${BASE}/${TAR}" -o gitleaks.tar.gz
+          curl -sSL "${BASE}/gitleaks_${GITLEAKS_VERSION}_checksums.txt" -o checksums.txt
+          EXPECTED=$(grep "$TAR" checksums.txt | awk '{print $1}')
+          ACTUAL=$(sha256sum gitleaks.tar.gz | awk '{print $1}')
+          [ "$EXPECTED" = "$ACTUAL" ] || { echo "Checksum mismatch!"; exit 1; }
+          tar -xzf gitleaks.tar.gz gitleaks
+          chmod +x gitleaks
+          ./gitleaks version
+
+      # PRs: stage only changed files and scan staged diff (blocks on new leaks)
+      - name: Run Gitleaks on staged PR changes (blocking)
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          set -euo pipefail
+          # Ensure base is present and compute changed files
+          git fetch --no-tags --prune --depth=1 origin +refs/heads/${{ github.base_ref }}:refs/remotes/origin/${{ github.base_ref }}
+          git diff --name-only origin/${{ github.base_ref }}..HEAD > /tmp/changed_files.txt
+          if [ -s /tmp/changed_files.txt ]; then
+            xargs -a /tmp/changed_files.txt git add
+            ./gitleaks protect --staged --no-banner --redact --config-path .gitleaks.toml
+            xargs -a /tmp/changed_files.txt git reset
+          else
+            echo "No changed files; skipping."
+          fi
+
+      # Non-PR runs (e.g., merge_group/push): full scan, do not fail the job
+      - name: Run Gitleaks full scan (non-blocking)
+        if: ${{ github.event_name != 'pull_request' }}
+        run: |
+          ./gitleaks detect --source . --no-banner --redact --config-path .gitleaks.toml || true
+
   # Optional: Add Semgrep for additional security analysis
   semgrep:
     runs-on: ubuntu-latest
@@ -92,7 +131,7 @@ jobs:
       - name: Run Semgrep
         uses: returntocorp/semgrep-action@v1
         with:
-        # Run security-focused rules
+          # Run security-focused rules
           config: >-
             p/security-audit
             p/secrets

.github/workflows/testnet-deployment.yml

@@ -66,7 +66,7 @@ jobs:
       - name: Install Aptos CLI
         uses: ./.github/actions/install-aptos-cli
         with:
-          version: "6.2.0"
+          version: "7.7.0"
 
       - name: Set Aptos Workspace Config
         run: make set-workspace-config

.github/workflows/typescript-integration-tests.yml

@@ -54,7 +54,7 @@ jobs:
       - name: Install Aptos CLI
         uses: ./.github/actions/install-aptos-cli
         with:
-          version: "6.2.0"
+          version: "7.7.0"
 
       - name: Install Node.js
         uses: actions/setup-node@v4

.github/workflows/unit_tests.yml

@@ -41,7 +41,7 @@ jobs:
       - name: Install Aptos CLI
         uses: ./.github/actions/install-aptos-cli
         with:
-          version: "6.2.0"
+          version: "7.7.0"
 
       - name: Run Aptos Create Local Testnet
         run: |

.gitleaks.toml

@@ -0,0 +1,20 @@
+title = "Gitleaks Config (lean)"
+
+[allowlist]
+description = "Common non-secret noise"
+paths = [
+  '''(^|/)tests?(/|$)''',
+  '''(^|/)fixtures?(/|$)''',
+  '''(^|/)examples?(/|$)''',
+  '''(^|/)docs?(/|$)''',
+  '''(^|/)migrations?(/|$)''',
+  '''\.md$''',
+  '''package-lock\.json$''',
+  '''yarn\.lock$''',
+  '''pnpm-lock\.yaml$''',
+  '''\.png$''',
+  '''\.jpg$''',
+  '''\.jpeg$''',
+  '''\.gif$''',
+  '''\.svg$''',
+]