---

# gitleaks
gitleaks:
  stage: "gitleaks"
  image:
    name: "ghcr.io/gitleaks/gitleaks:latest"
  rules:

    # run only on push to default branch
    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
    - when: "never"

  # start linting
  script:
    - "gitleaks detect --source . --verbose --redact"