From 084881b29852d4d409b43f0194014b442b621e5d Mon Sep 17 00:00:00 2001
From: Joakim Persson <joakim.persson@icloud.com>
Date: Thu, 9 Apr 2026 19:12:27 +0200
Subject: [PATCH] Add gitleaks pre-commit hook and bump opencode to 1.4.2

---
 .gitleaks.toml | 18 ++++++++++++++++++
 Dockerfile     |  2 +-
 README.md      | 45 ++++++++++++++++++++++++++++++++++++++++++++-
 setup-hooks.sh | 38 ++++++++++++++++++++++++++++++++++++++
 4 files changed, 101 insertions(+), 2 deletions(-)
 create mode 100644 .gitleaks.toml
 create mode 100755 setup-hooks.sh

diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..b323ee7
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,18 @@
+# .gitleaks.toml
+# Secret detection config — extends gitleaks default rules
+
+title = "opencode-devbox"
+
+[extend]
+useDefault = true
+
+# Global allowlist — safe files that may contain example keys/patterns
+[[allowlists]]
+description = "Allow example and template files"
+paths = [
+  '''\.env\.example$''',
+  '''\.env\.sample$''',
+  '''\.env\.template$''',
+  '''README\.md$''',
+  '''docs/.*\.md$''',
+]
diff --git a/Dockerfile b/Dockerfile
index 043fc90..5b7797f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,7 +5,7 @@ ARG DEBIAN_VERSION=bookworm-slim
 FROM debian:${DEBIAN_VERSION} AS base
 
 ARG TARGETARCH
-ARG OPENCODE_VERSION=1.4.0
+ARG OPENCODE_VERSION=1.4.2
 
 LABEL maintainer="joakimp"
 LABEL description="Portable opencode developer container"
diff --git a/README.md b/README.md
index 03f8a31..751056c 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,10 @@ cd opencode-devbox
 cp .env.example .env
 # Edit .env with your provider, API key, workspace path, git config
 
+# Install git hooks (secret scanning)
+brew install gitleaks  # one-time
+./setup-hooks.sh
+
 # Build and run
 docker compose run --rm devbox
 ```
@@ -105,12 +109,26 @@ volumes:
   - ./my-opencode.json:/home/developer/.config/opencode/opencode.json:ro
 ```
 
+### Rebuilding the Image
+
+`docker compose run` and `docker compose up` use the existing image — they **do not rebuild** when you change the Dockerfile or build args (e.g. updating `OPENCODE_VERSION`). Rebuild explicitly:
+
+```bash
+# Rebuild then run
+docker compose build
+docker compose run --rm devbox
+
+# Or rebuild and run in one step
+docker compose run --rm --build devbox
+```
+
 ### Build Args
 
-Enable optional language runtimes:
+Enable optional language runtimes or pin a specific opencode version:
 
 ```bash
 docker compose build --build-arg INSTALL_PYTHON=true --build-arg INSTALL_GO=true
+docker compose build --build-arg OPENCODE_VERSION=1.5.0
 ```
 
 | Arg | Default | Description |
@@ -137,6 +155,31 @@ The `--use-device-code` flag outputs a URL and short code instead of trying to o
 
 SSO sessions typically last 8–12 hours before requiring re-authentication.
 
+## Secret Scanning
+
+A [gitleaks](https://github.com/gitleaks/gitleaks) pre-commit hook prevents accidentally committing API keys, passwords, or other secrets.
+
+### Setup
+
+```bash
+brew install gitleaks   # one-time install
+./setup-hooks.sh        # installs the pre-commit hook
+```
+
+The hook runs automatically on every `git commit`. If gitleaks isn't installed, the hook prints a warning and allows the commit (no hard dependency on collaborators).
+
+### Bypass
+
+For legitimate cases (test data, documentation with example keys):
+
+```bash
+git commit --no-verify -m "Add test fixtures"
+```
+
+### Configuration
+
+Allowlisted paths and rules are in `.gitleaks.toml`. The defaults extend gitleaks' built-in rules and allow `.env.example` and documentation files.
+
 ## Architecture
 
 ```
diff --git a/setup-hooks.sh b/setup-hooks.sh
new file mode 100755
index 0000000..1cc5a2c
--- /dev/null
+++ b/setup-hooks.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+# Install git hooks for this project
+set -e
+
+HOOK_DIR="$(git rev-parse --show-toplevel)/.git/hooks"
+mkdir -p "$HOOK_DIR"
+
+# --- pre-commit hook: secret scanning with gitleaks ---
+cat > "$HOOK_DIR/pre-commit" << 'HOOK'
+#!/bin/bash
+# Pre-commit hook — scans staged files for secrets using gitleaks
+
+if ! command -v gitleaks >/dev/null 2>&1; then
+  echo ""
+  echo "⚠️  gitleaks is not installed — skipping secret scan"
+  echo "   Install: brew install gitleaks"
+  echo ""
+  exit 0
+fi
+
+echo "🔒 Scanning for secrets..."
+
+if gitleaks protect --staged --no-banner 2>/dev/null; then
+  echo "✅ No secrets detected"
+  exit 0
+else
+  echo ""
+  echo "❌ Secrets detected in staged changes — commit blocked"
+  echo ""
+  echo "   Details:  gitleaks protect --staged --verbose"
+  echo "   Bypass:   git commit --no-verify"
+  echo ""
+  exit 1
+fi
+HOOK
+
+chmod +x "$HOOK_DIR/pre-commit"
+echo "✅ Pre-commit hook installed (.git/hooks/pre-commit)"