Gitleaks Pack
V3 deterministic local secret-scan capability pack. By-value connector composition (service_kind=cli, no separate ingredient): one local gitleaks CLI ingredient exposes bounded project operations for readiness and redacted filesystem secret scans. The local gitleaks CLI scans one source path as ordinary files and writes a redacted JSON report via the security.scan_secrets catalog operation. Bundles a manual scan recipe and a scheduled project secret-scan workflow so users can turn trusted folders into recurring local security checks. Fixed-function and reproducible: filesystem dir scan mode only, no generic git command, no history log options, no caller-supplied config/baseline path, and no arbitrary flags. The executor materializes CAS file refs when present and owns the throwaway output directory, while gitleaks writes a fixed gitleaks.json report captured as result.file_ref. Requires gitleaks on PATH (Debian/Ubuntu: apt install gitleaks). Local and no-egress.
What this pack installs
- Scan file secrets with Gitleaks Recipe
- Watch project secrets with Gitleaks Recipe
- gitleaks Ingredient
Trust & control
What installing this whole pack would let it do. Recued grants these permissions at install — review them there before approving.