fix(ci): use gitleaks dir mode so pre-commit catches secrets in CI

[svc-bionemo]

Problem

The gitleaks pre-commit hook is silently passing in CI, even when secrets are present. See #1551 which includes a hardcoded WANDB_API_KEY that gitleaks did not flag.

Root cause: The default gitleaks hook entry is:

gitleaks git --pre-commit --redact --staged --verbose

This scans staged git changes — it works during an actual git commit. But in CI, static_checks.sh runs:

pre-commit run --all-files

With --all-files, there are no staged files and no commit context, so gitleaks scans 0 commits and reports "no leaks found":

7:02PM INF 0 commits scanned.
7:02PM INF scanned ~0 bytes (0) in 28.9ms
7:02PM INF no leaks found

Fix

Override the hook entry to use gitleaks dir --redact --verbose, which scans file contents directly. This works correctly both:

• Locally during git commit (pre-commit hook)
• In CI with pre-commit run --all-files

Testing

After this change, running pre-commit run gitleaks --all-files on the repo will scan actual file contents instead of scanning 0 commits.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 7e6515ed-9405-4f41-abc9-b60a04d71fb6

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}