refactor(ci): extract secrets detection into dedicated shell script

Artem-Zahumonnyi · Artem-Zahumonnyi · commit b55416fc1c9c · 2026-03-31T16:00:31.000+03:00
diff --git a/package.json b/package.json
@@ -40,7 +40,7 @@
     "commitlint": "commitlint --edit",
     "commitlint:last": "commitlint --from HEAD~1 --to HEAD --verbose",
     "validate:secrets": "node scripts/validate-secrets.js",
-    "license-check": "sh scripts/secrets-check.sh",
+    "license-check": "node scripts/license-check.js",
     "ci": "npm run license-check && npm run lint && npm run build && npm run test:unit && npm run test:integration",
     "ci:full": "npm run commitlint:last && npm run ci",
     "prepare": "husky",
diff --git a/scripts/secrets-check.sh b/scripts/secrets-check.sh
diff --git a/scripts/validate-secrets.js b/scripts/validate-secrets.js
@@ -1,54 +1,107 @@
 #!/usr/bin/env node
 /**
- * Cross-platform secrets detection using Gitleaks
- * Works on Windows, macOS, and Linux
+ * Cross-platform secrets detection using Gitleaks.
+ * Supports Docker and Podman (including Colima, OrbStack, Podman Machine).
+ * Works on Windows, macOS, and Linux.
  *
- * This script runs Gitleaks in a Docker container for local validation.
- * CI uses the official gitleaks-action@v2 for better GitHub integration.
- * Both share the same .gitleaks.toml configuration.
+ * Usage:
+ *   node scripts/validate-secrets.js    # scan working directory
  */
 
-import { spawn } from 'child_process';
-import { platform } from 'os';
-import { resolve } from 'path';
-import { existsSync } from 'fs';
+import { spawn, execSync } from 'child_process'
+import { existsSync } from 'fs'
+import { platform } from 'os'
+import { resolve } from 'path'
 
-const isWindows = platform() === 'win32';
-const projectPath = resolve(process.cwd());
+const GITLEAKS_IMAGE = 'ghcr.io/gitleaks/gitleaks:v8.30.1'
+const isWindows = platform() === 'win32'
+const projectPath = resolve(process.cwd())
+const configPath = resolve(projectPath, '.gitleaks.toml')
+const hasConfig = existsSync(configPath)
 
-// Check if .gitleaks.toml exists
-const configPath = resolve(projectPath, '.gitleaks.toml');
-const hasConfig = existsSync(configPath);
+function commandExists(cmd) {
+  try {
+    execSync(isWindows ? `where ${cmd}` : `which ${cmd}`, { stdio: 'ignore' })
+    return true
+  } catch {
+    return false
+  }
+}
+
+function daemonRunning(engine) {
+  try {
+    execSync(`${engine} info`, { stdio: 'ignore' })
+    return true
+  } catch {
+    return false
+  }
+}
+
+function detectEngine() {
+  for (const engine of ['docker', 'podman']) {
+    if (commandExists(engine)) return engine
+  }
+  return null
+}
+
+function hintForStoppedDaemon(engine) {
+  if (engine === 'docker') {
+    if (commandExists('colima')) return "Run 'colima start' to enable secrets detection locally"
+    if (commandExists('orbstack')) return 'Start OrbStack to enable secrets detection locally'
+  }
+  if (engine === 'podman') {
+    return "Run 'podman machine start' to enable secrets detection locally"
+  }
+  return 'Start your container engine to enable secrets detection locally'
+}
+
+const engine = detectEngine()
+
+if (!engine) {
+  console.log('No container engine found (docker/podman) - skipping secrets detection')
+  console.log('Install Docker or Podman to enable local secrets scanning')
+  process.exit(1)
+}
+
+if (!daemonRunning(engine)) {
+  const engineLabel = engine.charAt(0).toUpperCase() + engine.slice(1)
+  console.error(`${engineLabel} daemon is not running`)
+  console.error(hintForStoppedDaemon(engine))
+  process.exit(1)
+}
 
 const args = [
   'run',
   '--rm',
   '-v',
-  `${projectPath}:/path`,
-  'ghcr.io/gitleaks/gitleaks:v8.30.1',
-  'detect',
-  '--source=/path',
+  `${projectPath}:/workspace`,
+  GITLEAKS_IMAGE,
+  'dir',
+  '--no-banner',
   '--verbose',
-  '--no-git'
-];
+]
 
-// Add config file if it exists
 if (hasConfig) {
-  args.push('--config=/path/.gitleaks.toml');
+  args.push('--config=/workspace/.gitleaks.toml')
 }
 
-console.log('Running Gitleaks secrets detection...');
+args.push('/workspace')
+
+console.log('Checking for secrets with Gitleaks...')
 
-const gitleaks = spawn('docker', args, {
+const gitleaks = spawn(engine, args, {
   stdio: 'inherit',
-  shell: isWindows
-});
+  shell: isWindows,
+})
 
 gitleaks.on('close', (code) => {
-  process.exit(code);
-});
+  if (code !== 0) {
+    console.error('Secrets detected! Please remove sensitive data before committing.')
+  }
+  process.exit(code)
+})
 
 gitleaks.on('error', (err) => {
-  console.error('Failed to run Gitleaks:', err.message);
-  process.exit(1);
-});
+  console.error(`Failed to run Gitleaks via ${engine}:`, err.message)
+  process.exit(1)
+})
