chore: add gitguardian precommit checks

.gitignore

@@ -12,3 +12,4 @@ coverage
 .dccache
 .idea
 .pgdata
+.cache_ggshield

README.md

@@ -80,6 +80,13 @@ Because redirects are served directly from the backend, shortlinks can be access
 but that is really being proxied to `localhost:8080/shortlink`. One-time passwords for all log-in attempts on localhost
 are obtained using [maildev](https://github.com/maildev/maildev) and accessed via `http://localhost:1080/`.
 
+### Setting up secrets detection (optional)
+
+For more safety, you may enable secrets detection on pre-commit using GitGuardian.
+
+To set it up, install `ggshield` locally following the [official installation guide](https://github.com/GitGuardian/ggshield#installation).
+Create a personal GitGuardian account, generate an access token key with scanning permissions, then set `GITGUARDIAN_API_KEY` to this key inside a `.env` file in the root folder.
+
 ### Setting up the infrastructure
 
 Much of this step will involve setting up key infrastructure components since we do not have docker-compose

secrets-check.sh

@@ -16,5 +16,27 @@ if [ "$KEY_ID" != "" -a "$KEY_ID" != "," -a "$KEY" != "" ]; then
     exit 1
 fi
 
+gitguardian_secrets_check() {
+  if !(command -v ggshield &> /dev/null); then
+    echo "Skipping GitGuardian check for secrets as ggshield is not installed."
+    return 0
+  fi
+
+  [ -e .env ] && export $(cat .env | xargs)
+  if [ -z "${GITGUARDIAN_API_KEY}" ]; then
+    echo "Skipping GitGuardian check for secrets as GitGuardian API key is not configured."
+    return 0
+  fi
+
+  ggshield secret scan pre-commit
+}
+
+# Check changed files for secrets using GitGuardian
+gitguardian_secrets_check
+exit_status=$?
+if [ $exit_status -ne 0 ]; then
+  exit $exit_status
+fi
+
 # Normal exit
 exit 0