Copy secrets scanner check to other repos

[vredchenko]

smartem-decisions is not the only repo with secrets - instrument other repos with secret scanning. And look into which tool would work best:

Evaluate replacing detect-secrets with gitleaks

Context

Currently using detect-secrets with a comprehensive baseline workflow in smartem-decisions. Consider whether gitleaks would be a better fit.

Comparison

Aspect	detect-secrets (current)	gitleaks
Workflow complexity	~150 lines	~15 lines
Git history scanning	Limited (workflow admits this)	Native, comprehensive
Speed	Slower (Python, pip install)	Fast (Go binary)
SARIF output	No	Yes (GitHub Security tab)
Baseline workflow	Yes - tracks known secrets	Via .gitleaksignore
Auto-maintenance PR	Yes (nice feature)	Would need custom workflow
Unaudited secrets check	Yes - forces review	No equivalent

Arguments for Keeping detect-secrets

• Already working - migration has cost
• Baseline workflow good if legacy secrets exist that can't be removed
• Auto-maintenance PR is useful for team workflows
• Unaudited check forces human review of each finding

Arguments for Switching to gitleaks

• Dramatically simpler (less code to maintain)
• Better git history scanning (current workflow literally says "consider gitleaks")
• Faster CI runs
• Native GitHub Security tab integration
• Consistency across repos (ching-ching uses gitleaks)

Decision Criteria

Keep detect-secrets if:

• Multiple contributors benefit from review ceremony
• Have actual secrets in history that can't be removed
• Auto-PR maintenance feature is actively useful

Switch to gitleaks if:

• Small team / solo development
• Baseline audits are rubber-stamped anyway
• Want consistency across repos
• Prefer simpler maintenance

Tasks

• Audit whether baseline workflow is providing real value
• Check if any secrets in history require baseline approach
• If switching: create gitleaks workflow + .gitleaks.toml
• If switching: remove .secrets.baseline and detect-secrets workflow