RBC
diff --git a/‎jgit-proxy-core/build.gradle‎
Lines changed: 94 additions & 0 deletions b/‎jgit-proxy-core/build.gradle‎
Lines changed: 94 additions & 0 deletions
diff --git a/‎jgit-proxy-core/src/main/java/org/finos/gitproxy/config/CommitConfig.java‎
Lines changed: 59 additions & 0 deletions b/‎jgit-proxy-core/src/main/java/org/finos/gitproxy/config/CommitConfig.java‎
Lines changed: 59 additions & 0 deletions
@@ -5,6 +5,9 @@ plugins {
 group = 'org.finos.gitproxy'
 version = '0.0.1-SNAPSHOT'
 
+// Gitleaks version bundled into the JAR for hermetic secret scanning
+ext.gitleaksVersion = '8.21.2'
+
 java {
     sourceCompatibility = JavaVersion.VERSION_21
     targetCompatibility = JavaVersion.VERSION_21
@@ -106,3 +109,94 @@ dependencies {
 tasks.named('test') {
     useJUnitPlatform()
 }
+
+// ---------------------------------------------------------------------------
+// Hermetic gitleaks bundling
+// ---------------------------------------------------------------------------
+// Detects the current build platform (OS + arch) at Gradle configuration time
+// and downloads the matching gitleaks binary, storing it as the plain name
+// "gitleaks" under build/generated-resources/gitleaks/ so it is packed into
+// the JAR as the classpath resource "gitleaks/gitleaks".
+//
+// At runtime, GitleaksRunner extracts it to a JVM temp directory (cleaned up
+// on JVM shutdown) and invokes it directly — no host installation required.
+//
+// If the build platform is not recognised (e.g. Windows), the download is
+// skipped and a warning is printed.  In that case set
+// commit.secretScanning.scanner-path in git-proxy-local.yml to point at a
+// locally installed gitleaks binary.
+// ---------------------------------------------------------------------------
+
+// Resource root: files here appear at the root of the classpath in the JAR.
+// The gitleaks binary lands at build/generated-resources/gitleaks
+// and is packed into the JAR as the classpath resource "gitleaks".
+def gitleaksResourceDir = layout.buildDirectory.dir("generated-resources")
+
+sourceSets.main.resources.srcDir(gitleaksResourceDir)
+
+// Detect build-time OS and CPU architecture to select the right gitleaks tarball
+def buildOs   = System.properties['os.name'].toLowerCase()
+def buildArch = System.properties['os.arch'].toLowerCase()
+
+def gitleaksTarSuffix = {
+    String osKey   = buildOs.contains('linux') ? 'linux'
+                   : (buildOs.contains('mac') || buildOs.contains('darwin')) ? 'darwin'
+                   : null
+    String archKey = (buildArch.contains('amd64') || buildArch.contains('x86_64')) ? 'x64'
+                   : (buildArch.contains('aarch64') || buildArch.contains('arm64')) ? 'arm64'
+                   : null
+    (osKey && archKey) ? "${osKey}_${archKey}" : null
+}()
+
+tasks.register('downloadGitleaks') {
+    group = 'build setup'
+    description = "Downloads the gitleaks ${gitleaksVersion} binary for the current build platform."
+
+    // Output: build/generated-resources/gitleaks → JAR classpath: gitleaks
+    def outputFile = gitleaksResourceDir.map { it.file("gitleaks") }
+    outputs.file(outputFile)
+
+    doLast {
+        if (!gitleaksTarSuffix) {
+            logger.warn(
+                "Unsupported build platform (os='${buildOs}', arch='${buildArch}') — " +
+                "skipping bundled gitleaks download. Set commit.secretScanning.scanner-path " +
+                "in git-proxy-local.yml to use a locally installed gitleaks binary.")
+            return
+        }
+
+        def out = outputFile.get().asFile
+        if (out.exists()) {
+            logger.lifecycle("gitleaks ${gitleaksVersion} (${gitleaksTarSuffix}) already bundled, skipping.")
+            return
+        }
+        out.parentFile.mkdirs()
+
+        def tarName = "gitleaks_${gitleaksVersion}_${gitleaksTarSuffix}.tar.gz"
+        def tarUrl  = "https://github.com/gitleaks/gitleaks/releases/download/v${gitleaksVersion}/${tarName}"
+        def tmpDir  = layout.buildDirectory.dir("tmp/gitleaks").get().asFile
+        tmpDir.mkdirs()
+        def tarFile = new File(tmpDir, tarName)
+
+        logger.lifecycle("Downloading gitleaks ${gitleaksVersion} (${gitleaksTarSuffix})...")
+        new URL(tarUrl).withInputStream { is -> tarFile.bytes = is.bytes }
+
+        // Extract just the gitleaks binary; Ant places it as out.parent/gitleaks == out
+        ant.untar(src: tarFile.absolutePath, dest: out.parent, compression: 'gzip') {
+            patternset { include(name: 'gitleaks') }
+        }
+
+        if (!out.exists()) {
+            throw new GradleException("gitleaks binary not found in ${tarName} after extraction")
+        }
+        out.setExecutable(true)
+        logger.lifecycle("Bundled gitleaks at ${out} (${out.length()} bytes)")
+    }
+}
+
+// The JAR always ships with the bundled gitleaks binary (DEFAULT_VERSION).
+// At runtime, GitleaksRunner uses it unless:
+//   - commit.secretScanning.scanner-path is set (explicit override), or
+//   - commit.secretScanning.version is set to a different version and auto-install is true
+//     (downloads and caches the requested version on first use).
+processResources.dependsOn('downloadGitleaks')
@@ -108,6 +108,65 @@ public static class DiffConfig {
         private BlockConfig block = BlockConfig.builder().build();
     }
 
+    /** Configuration for secret scanning via gitleaks. */
+    @Builder.Default
+    private SecretScanningConfig secretScanning = SecretScanningConfig.builder().build();
+
+    /** Configuration for secret scanning via an external scanner (gitleaks). */
+    @Data
+    @Builder
+    public static class SecretScanningConfig {
+
+        /** Enable or disable secret scanning. Disabled by default. */
+        @Builder.Default
+        private boolean enabled = false;
+
+        /**
+         * When {@code true} (the default when scanning is enabled), gitleaks is downloaded automatically on first use
+         * if it cannot be found via {@code scannerPath}, on the system PATH, or bundled in the JAR. The binary is
+         * cached in {@code installDir} across restarts. Set to {@code false} to require an explicit installation.
+         */
+        @Builder.Default
+        private boolean autoInstall = true;
+
+        /**
+         * Directory where gitleaks is cached when auto-installed. Defaults to {@code ~/.cache/jgit-proxy/gitleaks}. The
+         * directory is created automatically if it does not exist.
+         */
+        private String installDir;
+
+        /**
+         * Version of gitleaks to download when auto-installing. Defaults to the version tested with this release of
+         * jgit-proxy. Override to pin a specific version.
+         */
+        private String version;
+
+        /**
+         * Explicit path to a gitleaks binary. Bypasses all other resolution (PATH, JAR, auto-install). Useful for macOS
+         * / Windows developer machines or controlled deployments that manage gitleaks externally.
+         */
+        private String scannerPath;
+
+        /**
+         * Path to a gitleaks TOML configuration file. When {@code null} or blank, gitleaks uses its built-in detection
+         * rules. Set this to layer in org-specific patterns on top of the defaults. Example:
+         *
+         * <pre>
+         * title = "my-org"
+         * [extend]
+         * useDefault = true
+         * [[rules]]
+         * id = "my-org-api-key"
+         * regex = '''MY_ORG_[0-9A-Z]{32}'''
+         * </pre>
+         */
+        private String configFile;
+
+        /** Maximum seconds to wait for the gitleaks process before aborting (fail-open). */
+        @Builder.Default
+        private long timeoutSeconds = 30;
+    }
+
     /**
      * Create a default configuration with no restrictions.
      *