Report security issues privately to the repository owner instead of opening a public issue.
This repo enforces secret scanning in two places:
- Local hooks:
npm run hooks:installinstalls a pre-commit hook that runs stagedgitleaks. - CI:
.github/workflows/security-gitleaks.ymlruns gitleaks on pull requests and pushes tomain.
Run a full local scan with:
npm run security:gitleaksRun the staged-only scan with:
npm run security:gitleaks:stagedThe scan is configured by .gitleaks.toml. Only deterministic fixtures and generated test output should be allowlisted; real secrets, Rails credentials, .env files, API tokens, private keys, and machine-local paths must not be committed.
Ruby/Rails escape hatches such as raw __ruby__, raw ERB, raw SQL, unchecked template paths, and dynamic adoption output are treated as security-sensitive compiler surfaces. Prefer typed externs, checked filesystem contracts, HHX, typed field refs, and generator-owned artifacts. See docs/railshx-escape-hatch-security-audit.md and docs/railshx-sql-string-policy.md.