Feature Request: Support for gitleaks (or trufflehog)

[danielsparing]

The tools gitleaks and trufflehog can catch secret keys before they're checked in in git, but they don't get triggered by secrets in notebooks.

Theoretically it would be a perfect fit for nbQA to also run (one of) these tools, once the notebooks are already converted to py files.

The only issue I can expect is that you don't install gitleaks with pip but would typically use with a container.

Related issue on the gitleaks-side, missing notebook support: gitleaks/gitleaks#914

[MarcoGorelli]

hi - sure, open to this if someone submits a pr and it's simple and easy to understand

[danielsparing]

I almost made it work:

• install gitleaks on your system (such as brew install gitleaks on macOS)
• Then I can successfully run:

% nbqa --nbqa-shell "gitleaks dir" test_with_secret.ipynb                      

    ○
    │╲
    │ ○
    ○ ░
    ░    gitleaks

2:49PM INF scanned ~268 bytes (268 bytes) in 2.94ms
2:49PM WRN leaks found: 1

However, note that gitleaks doesn't (properly) accept multiple files as input (tracked in gitleaks/gitleaks#1727 ), so the following examples will scan much more than just the listed notebooks (and might run for a very long time in a complex repo)

gitleaks dir test_with_secret.ipynb test_with_secret2.ipynb
# scans all of "."

nbqa --nbqa-shell "gitleaks dir" test_with_secret.ipynb test_with_secret2.ipynb
# scans all of "."

So, this means, that the below two pre-commits almost work, but:

• the first one only works (as intended) if there's only one notebook in staged
• the second one only works (as intended) if there's only one notebook in the whole repo

  - repo: https://github.com/nbQA-dev/nbQA
    rev: 1.9.1
    hooks:
      - id: nbqa
        name: nbqa gitleaks
        entry: nbqa "gitleaks dir"
        args: ["--nbqa-shell"]
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.26.0
    hooks:
      - id: gitleaks
        entry: nbqa --nbqa-shell "gitleaks dir"
        language: golang

So probably this will be a good approach once the PR linked to the above issue get merged.