added gitleaks security scan

Author: mpsc0x

.github/actions/install-aptos-cli/action.yml

@@ -5,7 +5,7 @@ inputs:
   version:
     description: "Aptos CLI version to install"
     required: true
-    default: "7.2.0"
+    default: "7.7.0"
 
 runs:
   using: "composite"

.github/workflows/doc.yml

@@ -38,7 +38,7 @@ jobs:
       - name: Install Aptos CLI
         uses: ./.github/actions/install-aptos-cli
         with:
-          version: "6.2.0"
+          version: "7.7.0"
       - name: Run Aptos Create Local Testnet
         run: |
           make local-testnet &

.github/workflows/lint.yml

@@ -39,12 +39,9 @@ jobs:
           sudo apt-get update -y
 
       - name: Install Aptos CLI
-        run: |
-          curl -fsSL "https://aptos.dev/scripts/install_cli.py" | python3
-          aptos --version
-          aptos update movefmt
-          echo 'Adding movefmt to PATH'
-          echo "$HOME/.aptos/bin" >> $GITHUB_PATH
+        uses: ./.github/actions/install-aptos-cli
+        with:
+          version: "7.7.0"
 
       - name: Install Node.js
         uses: actions/setup-node@v4
@@ -65,6 +62,8 @@ jobs:
 
       - name: Run Pre Commit
         uses: pre-commit/[email protected]
+        env:
+          SKIP: detect-secrets  # skip only this hook in CI; still runs locally
 
   fmt:
     name: fmt

.github/workflows/security-scan.yml

@@ -10,6 +10,9 @@ jobs:
   security-scan:
     runs-on: ubuntu-latest
     name: Security Scanning
+    env:
+      GITLEAKS_VERSION: "8.28.0"  # pin gitleaks version
+      GITLEAKS_CONFIG: ".gitleaks.toml"  # config picked up automatically by gitleaks
 
     steps:
       - name: Checkout code
@@ -20,9 +23,9 @@ jobs:
       - name: TruffleHog OSS Secret Scanning
         uses: trufflesecurity/trufflehog@main
         with:
-        # Scan the entire repository
+          # Scan the entire repository
           path: ./
-        # Only show verified secrets and unknown (high confidence)
+          # Only show verified secrets and unknown (high confidence)
           extra_args: --results=verified,unknown
 
       - name: Setup Python for detect-secrets
@@ -79,6 +82,50 @@ jobs:
 
           echo "✅ Custom secret checks passed!"
 
+      # ---- Gitleaks CLI pinned to 8.28.0 (no SARIF) ----
+      - name: Download Gitleaks v8.28.0 (linux_x64) + verify checksum
+        run: |
+          set -euo pipefail
+          TAR="gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
+          BASE="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}"
+
+          echo "Downloading $TAR..."
+          curl -sSL "${BASE}/${TAR}" -o gitleaks.tar.gz
+          curl -sSL "${BASE}/gitleaks_${GITLEAKS_VERSION}_checksums.txt" -o checksums.txt
+
+          EXPECTED=$(grep "$TAR" checksums.txt | awk '{print $1}')
+          ACTUAL=$(sha256sum gitleaks.tar.gz | awk '{print $1}')
+          [ "$EXPECTED" = "$ACTUAL" ] || { echo "Checksum mismatch!"; exit 1; }
+
+          tar -xzf gitleaks.tar.gz gitleaks
+          chmod +x gitleaks
+          ./gitleaks version
+
+      # PRs: stage only changed files and scan staged diff (blocks on new leaks)
+      - name: Run Gitleaks on staged PR changes (blocking)
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          set -euo pipefail
+          # Ensure base is present and compute changed files
+          git fetch --no-tags --prune --depth=1 origin +refs/heads/${{ github.base_ref }}:refs/remotes/origin/${{ github.base_ref }}
+          git diff --name-only origin/${{ github.base_ref }}..HEAD > /tmp/changed_files.txt
+          if [ -s /tmp/changed_files.txt ]; then
+            xargs -a /tmp/changed_files.txt git add
+            ./gitleaks protect --staged --no-banner --redact
+            xargs -a /tmp/changed_files.txt git reset
+          else
+            echo "No changed files; skipping."
+          fi
+
+      # Non-PR runs (e.g., merge_group/push): full scan, do not fail the job
+      - name: Run Gitleaks full scan (non-blocking)
+        if: ${{ github.event_name != 'pull_request' }}
+        run: |
+          ./gitleaks detect \
+            --source . \
+            --no-banner \
+            --redact || true
+
   # Optional: Add Semgrep for additional security analysis
   semgrep:
     runs-on: ubuntu-latest
@@ -92,7 +139,7 @@ jobs:
       - name: Run Semgrep
         uses: returntocorp/semgrep-action@v1
         with:
-        # Run security-focused rules
+          # Run security-focused rules
           config: >-
             p/security-audit
             p/secrets

.github/workflows/testnet-deployment.yml

@@ -66,7 +66,7 @@ jobs:
       - name: Install Aptos CLI
         uses: ./.github/actions/install-aptos-cli
         with:
-          version: "6.2.0"
+          version: "7.7.0"
 
       - name: Set Aptos Workspace Config
         run: make set-workspace-config

.github/workflows/typescript-integration-tests.yml

@@ -54,7 +54,7 @@ jobs:
       - name: Install Aptos CLI
         uses: ./.github/actions/install-aptos-cli
         with:
-          version: "6.2.0"
+          version: "7.7.0"
 
       - name: Install Node.js
         uses: actions/setup-node@v4

.github/workflows/unit_tests.yml

@@ -41,7 +41,7 @@ jobs:
       - name: Install Aptos CLI
         uses: ./.github/actions/install-aptos-cli
         with:
-          version: "6.2.0"
+          version: "7.7.0"
 
       - name: Run Aptos Create Local Testnet
         run: |

.gitleaks.toml

@@ -0,0 +1,20 @@
+title = "Gitleaks Config (lean)"
+
+[allowlist]
+description = "Common non-secret noise"
+paths = [
+  '''(^|/)tests?(/|$)''',
+  '''(^|/)fixtures?(/|$)''',
+  '''(^|/)examples?(/|$)''',
+  '''(^|/)docs?(/|$)''',
+  '''(^|/)migrations?(/|$)''',
+  '''\.md$''',
+  '''package-lock\.json$''',
+  '''yarn\.lock$''',
+  '''pnpm-lock\.yaml$''',
+  '''\.png$''',
+  '''\.jpg$''',
+  '''\.jpeg$''',
+  '''\.gif$''',
+  '''\.svg$''',
+]