v1.3.2 Release Notes¶

Release Date: February 2, 2026

Highlights¶

• 🔐 detect-secrets Pre-Commit Hook - Automatic credential leak prevention via Yelp/detect-secrets v1.4.0
• 🛡️ 40+ New .gitignore Patterns - Blocks tokens, vault files, CI/CD artifacts, and environment configs
• 📝 Documentation Security Fixes - Redacted sensitive paths and removed broken license examples

New Features¶

detect-secrets Pre-Commit Hook¶

A new pre-commit hook powered by Yelp/detect-secrets v1.4.0 scans every staged file for potential secrets before a commit is allowed. A baseline file (.secrets.baseline) tracks known false positives so legitimate tokens in tests and documentation do not cause repeated alerts.

Setup (if not already installed):

pip install detect-secrets
detect-secrets scan > .secrets.baseline

The hook is configured automatically via .pre-commit-config.yaml.

.gitignore Security Sections¶

40+ new patterns were added across six categories:

Changes¶

Security Hardening¶

These .gitignore additions are defence-in-depth: even if a developer accidentally stages a secrets file, both .gitignore and the detect-secrets hook will flag it before it reaches the remote repository.

Bug Fixes¶

• Redacted JWT paths — docs/GITHUB_SECRETS.md no longer contains exact file paths to vault keys or license JWTs.
• Removed broken license examples — Documentation previously referenced example JWTs that no longer existed. These sections now point to the licensing team.

Breaking Changes¶

None. v1.3.2 is fully backward compatible with v1.3.1.

Upgrade Guide¶

From v1.3.1¶

pip install --upgrade codescalpel

If you use pre-commit, pull the updated .pre-commit-config.yaml and generate your baseline:

detect-secrets scan > .secrets.baseline
git add .secrets.baseline

Known Issues¶

• Inherited from v1.3.0: path suggestions may be slow on very large workspaces (>10,000 files)

Full Changelog¶

See the detailed changelog for all changes.