Integrate secretlint to detect and prevent credential leaks

.gitignore

@@ -22,3 +22,6 @@ uv.lock # remove if you want to pin versions.
 
 #secrets
 .env
+
+#other modules
+node_modules/

.pre-commit-config.yaml

@@ -48,3 +48,13 @@ repos:
         types: [python]
         pass_filenames: false # Run full test suite
         stages: [pre-commit] # Only run on pre-commit
+  - repo: local
+    hooks:
+    - id: secretlint
+      name: secretlint
+      entry: npx secretlint --maskSecrets
+      language: node
+      types: [text]
+      files: ^.*\.(py|js|ts|json|yml|yaml|env|txt)$
+      exclude: (^|/)(node_modules|\.git|\.venv|__pycache__)/
+      pass_filenames: true

.secretlintignore

@@ -0,0 +1,5 @@
+# Ignore virtual environments, cache, and dependencies
+.venv/
+__pycache__/
+node_modules/
+.git/

.secretlintrc.json

@@ -0,0 +1,7 @@
+{
+    "rules": [
+        {
+            "id": "@secretlint/secretlint-rule-preset-recommend"
+        }
+    ]
+}

Justfile

@@ -86,6 +86,7 @@ BRANCH_NAME := "test-actions-" + DATE_TIME
     if ! command -v just >/dev/null 2>&1; then echo "just is not installed"; exit 1; fi
     if ! command -v pre-commit >/dev/null 2>&1; then echo "{{YELLOW}}WARNING: pre-commit is not installed{{NC}}"; fi
     if ! command -v taplo >/dev/null 2>&1; then echo "Taplo is not installed"; exit 1; fi
+    if ! npx --no-install secretlint --version >/dev/null 2>&1; then echo "{{YELLOW}}WARNING: secretlint is not installed via npm{{NC}}"; fi
     echo "All required tools are installed"
 
 alias c := check-deps
@@ -147,6 +148,25 @@ alias l := lint
 
 alias tc := typecheck
 
+# Install Secretlint
+[group('install')]
+@install-secretlint:
+	if ! npx --no-install secretlint --version > /dev/null 2>&1; then \
+		echo "{{YELLOW}}Secretlint not found. Installing...{{NC}}"; \
+		npm install secretlint @secretlint/secretlint-rule-preset-recommend --save-dev && \
+		echo "{{GREEN}}Secretlint installed successfully.{{NC}}"; \
+	else \
+		echo "{{GREEN}}Secretlint is already installed.{{NC}}"; \
+	fi
+
+# Run Lint secrets
+[group('dev'), group('pre-commit')]
+@lint-secrets:
+    echo "🔍 Running secretlint... Please wait."
+    npx --yes secretlint "**/*" && echo "✅ Secretlint completed successfully." || (echo "❌ Secretlint found issues!" && exit 1)
+
+alias ls := lint-secrets
+
 # Run tests
 [group('test'), group('dev')]
 @test *options: