From 86b8268c5e443b2d34b7b62c3103e465e2a05e5b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82?= <michal.bagrowski@loopme.com>
Date: Tue, 10 Mar 2026 00:50:49 +0100
Subject: [PATCH] feat: add secrets scanning workflow

---
 .github/workflows/loopme-secrets-scan.yml | 29 +++++++++++++++++++++++
 .gitleaks.toml                            | 13 ++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 .github/workflows/loopme-secrets-scan.yml
 create mode 100644 .gitleaks.toml

diff --git a/.github/workflows/loopme-secrets-scan.yml b/.github/workflows/loopme-secrets-scan.yml
new file mode 100644
index 0000000..e7aae58
--- /dev/null
+++ b/.github/workflows/loopme-secrets-scan.yml
@@ -0,0 +1,29 @@
+# ============================================================
+# Secrets Scan — managed by loopme/secrets
+# DO NOT edit scanning logic here. To update rules or
+# add exclusions, see: https://github.com/loopme/secrets/blob/main/docs/adding-exclusions.md
+# ============================================================
+name: Loopme Secrets Scanning
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - master
+      - develop
+  workflow_dispatch:
+
+jobs:
+  scan:
+    uses: loopme/secrets/.github/workflows/loopme-secrets-scan.yml@main
+    secrets:
+      GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
+      SECRETS_SCAN_APP_ID_GITHUB: ${{ secrets.SECRETS_SCAN_APP_ID_GITHUB }}
+      SECRETS_SCAN_APP_PRIVATE_KEY_GITHUB: ${{ secrets.SECRETS_SCAN_APP_PRIVATE_KEY_GITHUB }}
+    # Optional inputs — uncomment to customise:
+    # with:
+    #   config-file: .gitleaks.toml          # path to repo-local config (default: .gitleaks.toml)
+    #   notify-user-list: "@user1,@user2"    # GitHub users to @-mention in PR comments
+    #   extra-arguments: "--verbose"          # any extra gitleaks flags
+    #   enable-comments: true                 # set to false to suppress inline PR comments (check still fails)
diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..ada2bf5
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,13 @@
+# Default repository-local gitleaks configuration.
+# This file is used automatically when a repo has no .gitleaks.toml.
+# Copy it to your repo root as .gitleaks.toml and add your exclusions.
+# See: https://github.com/loopme/secrets/blob/main/docs/adding-exclusions.md
+
+# Use all built-in gitleaks default rules
+[extend]
+  useDefault = true
+
+[allowlist]
+  description = "global allowlist"
+  regexes = []
+  paths = []