chore: consolidate security scanning tools

.github/workflows/leaked-secrets-scan.yml

@@ -10,77 +10,6 @@ on:
     branches: [main]
 
 jobs:
-  detect-secrets:
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    name: detect-secrets
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v6
-      with:
-        fetch-depth: 0
-    - name: Install detect-secrets
-      run: pipx install detect-secrets
-    - name: Verify baseline exists
-      run: |
-        if [ ! -f .secrets.baseline ]; then
-          echo "::error::.secrets.baseline not found!"
-          exit 1
-        fi
-        echo "Found .secrets.baseline"
-    - name: Scan for secrets
-      run: |
-        echo "Scanning for secrets..."
-        detect-secrets scan \
-          --baseline .secrets.baseline \
-          --exclude-files '.*\.lock$' \
-          --force-use-all-plugins
-    - name: Audit baseline for unaudited secrets
-      run: |
-        echo "Auditing secrets baseline..."
-        if grep -q '"is_secret": null' .secrets.baseline; then
-          echo "::error::Found unaudited secrets in baseline! Run: detect-secrets audit .secrets.baseline"
-          detect-secrets audit .secrets.baseline --report
-          exit 1
-        fi
-        echo "All secrets in baseline have been audited"
-        detect-secrets audit .secrets.baseline --report
-    - name: Check for new secrets in PR
-      if: github.event_name == 'pull_request'
-      run: |
-        echo "Checking for new secrets in PR..."
-        mkdir -p /tmp/pr-scan
-        git diff origin/main...HEAD --name-only | while read -r file; do
-          if [ -f "$file" ]; then
-            mkdir -p "/tmp/pr-scan/$(dirname "$file")" 2>/dev/null || true
-            cp "$file" "/tmp/pr-scan/$file" 2>/dev/null || true
-          fi
-        done
-        if [ "$(ls -A /tmp/pr-scan 2>/dev/null)" ]; then
-          echo "Scanning changed files..."
-          detect-secrets scan \
-            --baseline .secrets.baseline \
-            --exclude-files '.*\.lock$' \
-            --force-use-all-plugins \
-            /tmp/pr-scan || echo "No new secrets found"
-        else
-          echo "No files to scan"
-        fi
-    - name: Full repository scan (scheduled)
-      if: github.event_name == 'schedule'
-      run: |
-        echo "Performing full repository scan..."
-        detect-secrets scan \
-          --exclude-files '.*\.lock$' \
-          --force-use-all-plugins
-    - name: Upload baseline on failure
-      uses: actions/upload-artifact@v7
-      if: failure()
-      with:
-        name: detect-secrets-report
-        path: .secrets.baseline
-        retention-days: 30
-
   gitleaks-cli:
     name: gitleaks (CLI)
     runs-on: ubuntu-latest
@@ -105,28 +34,3 @@ jobs:
           name: gitleaks-report
           path: gitleaks-report.sarif
           retention-days: 30
-
-  trufflehog:
-    name: trufflehog
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    env:
-      TRUFFLEHOG_VERSION: '3.93.8'
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-      - name: Install trufflehog
-        run: |
-          curl -sSfL "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRUFFLEHOG_VERSION}/trufflehog_${TRUFFLEHOG_VERSION}_linux_amd64.tar.gz" \
-            | tar -xz -C /usr/local/bin trufflehog
-          trufflehog --version
-      - name: Run trufflehog
-        run: trufflehog git file://. --only-verified --fail --json 2>&1 | tee trufflehog-report.json
-      - name: Upload report
-        uses: actions/upload-artifact@v7
-        if: always()
-        with:
-          name: trufflehog-report
-          path: trufflehog-report.json
-          retention-days: 30

.pre-commit-config.yaml

@@ -8,20 +8,8 @@ repos:
       - id: check-merge-conflict
       - id: end-of-file-fixer
 
-  - repo: https://github.com/Yelp/detect-secrets
-    rev: v1.5.0
-    hooks:
-      - id: detect-secrets
-        args: ['--baseline', '.secrets.baseline', '--exclude-files', '.*\.lock$']
-
   - repo: https://github.com/gitleaks/gitleaks
     rev: v8.30.0
     hooks:
       - id: gitleaks
         stages: [pre-push]
-
-  - repo: https://github.com/trufflesecurity/trufflehog
-    rev: v3.93.8
-    hooks:
-      - id: trufflehog
-        stages: [pre-push]

claude-code/ARCHITECTURE.md

@@ -182,7 +182,7 @@ export ARIA_GQL_LOCAL=http://localhost:9002/graphql
 ### smartem-decisions CI Features
 
 - Schema drift checking (Alembic vs SQLModel)
-- Security scanning (detect-secrets)
+- Security scanning (gitleaks)
 - Versioned docs to GitHub Pages
 - Windows .exe builds (PyInstaller) for agent and epuplayer
 

claude-code/shared/skills/devops/SKILL.md

@@ -174,7 +174,7 @@ kubectl get secret db-credentials -n smartem-decisions -o jsonpath='{.data.POSTG
 | ci.yml | Push/PR to main | Tests, lint, type check |
 | _container.yml | Tag push (v*) | Build and push Docker image |
 | _docs.yml | Tag push | Build and publish docs |
-| security-scan.yml | Schedule/manual | detect-secrets scanning |
+| security-scan.yml | Schedule/manual | gitleaks scanning |
 | build_win_smartem_agent.yml | Push to main | Windows .exe build |
 
 ### Debugging CI Failures

claude-code/smartem-decisions/agents/devops.md

@@ -95,7 +95,7 @@ Tools and technologies you work with:
 - Docker/Podman for containerisation and image management
 - kubectl, kustomize, Helm for Kubernetes deployment and configuration management
 - Development scripts and local cluster management (k3d, kind, development tools)
-- Security scanning tools (detect-secrets, container vulnerability scanners)
+- Security scanning tools (gitleaks, container vulnerability scanners)
 - Monitoring stacks (Prometheus, Grafana, logging aggregation systems)
 - Infrastructure automation and GitOps tools for configuration management
 

docs/decision-records/decisions/0005-detect-secrets-for-secret-scanning.md

@@ -4,7 +4,9 @@ Date: 21/08/2025
 
 ## Status
 
-Accepted
+Superseded by gitleaks consolidation
+
+**Note:** detect-secrets was removed in favour of consolidating on gitleaks as the single secret scanning tool across the project. This simplifies the security tool stack and aligns with the organisational preference for gitleaks standardisation.
 
 ## Context
 

lefthook.yml

@@ -29,5 +29,3 @@ pre-push:
       run: npm run format:check
     gitleaks:
       run: gitleaks protect --staged --redact
-    trufflehog:
-      run: trufflehog git file://. --only-verified