Add secret scanning and credential leak detection in CI/CD pipeline

[Smartdevs17]

Context

Credentials (API keys, database passwords, Stellar secret keys) have been committed to git repositories in the past. No automated detection exists to prevent future leaks.

Current Limitation/Problem

No pre-commit or CI secret scanning. Leaked credentials remain in git history indefinitely and are only discovered post-breach.

Expected Outcome

GitLeaks-based secret scanning in pre-commit hook and CI pipeline, with custom regex patterns for Stellar keys, API keys, and JWTs. Automatic alerting and revocation on detection.

Acceptance Criteria

• GitLeaks configuration (.gitleaks.toml) with custom rules for Stellar secret keys (S...), API keys (sk_live_, sk_test_), JWTs, private keys (BEGIN RSA, BEGIN EC)
• Pre-commit hook: scan staged files with GitLeaks, block commit if secret detected
• CI step: full git history scan on push to main and release branches
• Baselines file: known false positives committed to repo and excluded from scan
• Alert: Slack webhook notification to security team on detection
• Automated revocation: if Stellar secret key detected, trigger key rotation via Stellar API
• Remediation guide: auto-comment on PR with steps to remove secret from git history
• Edge case: binary files scanned with entropy detection (>4.5 bits/byte)

Technical Scope

• .gitleaks.toml - GitLeaks configuration with custom rules
• .pre-commit-config.yaml - pre-commit hook configuration
• .github/workflows/secret-scan.yml - CI secret scanning workflow
• scripts/revoke-stellar-key.sh - automated key revocation script
• docs/SECURITY.md - credential management best practices guide

[AYOMI-cmd]

@AYOMI-cmd has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Can i work on this issue please?

ℹ️ Repo Maintainers: To accept this application, review their application or assign @AYOMI-cmd to this issue.

[drips-wave]

Congratulations, @AYOMI-cmd! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @AYOMI-cmd: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[drips-wave]

This issue has been marked as completed by a Drips Wave moderator for @AYOMI-cmd as part of the Stellar Wave Program's 6th Wave 🥳

Moderator's reason: [Auto-assessed] The PR provides a comprehensive implementation of the requested security features, including GitLeaks configuration, pre-commit hooks, CI workflows, and a Stellar key revocation script. The work directly addresses all acceptance criteria with no maintainer objections recorded.

😎 @AYOMI-cmd: You earned 200 Points for completing this issue! After the current Wave ends, you'll be eligible for a percentage of the Wave's reward pool based on the percentage of total points you've earned. Learn more here.

🧑‍💻 Repo maintainers: How'd the contributor do? Leave a review to share your experience working with them.

ℹ️ Note: This issue was marked complete via moderation. Points were issued even though the GitHub issue remains open.