fix(ci): secret-scan job + dtolnay SHA pin (.github repo — compliance #276)#277
Conversation
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR remediates compliance-audit findings for the petry-projects/.github repository by adding the required CI secret scanning job and SHA-pinning an unpinned GitHub Action to satisfy action pinning policy checks.
Changes:
- Add a
secret-scanCI job that runsgitleakswith full-history checkout. - Pin
dtolnay/rust-toolchainto a specific commit SHA independency-audit.yml.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/ci.yml | Adds secret-scan job using gitleaks/gitleaks-action with full-history checkout. |
| .github/workflows/dependency-audit.yml | Pins dtolnay/rust-toolchain to a commit SHA to satisfy action pinning. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@petry-projects/org-leads — PR is ready for review. All required CI checks are passing. This PR addresses the compliance audit findings from issue #276 for the |
|
Auto-rebase blocked — the base branch contains Please rebase this branch manually: |
Addresses compliance audit findings for the .github repo (issue #276): - ci.yml: add `secret-scan` job using gitleaks/gitleaks-action@v2.3.9 (SHA-pinned) with full-history checkout, satisfying the `secret_scan_ci_job_present` compliance check. - dependency-audit.yml: pin `dtolnay/rust-toolchain@stable` to commit SHA 29eef336d9b2848a0b548edc03f92a220660cdb8 per the Action Pinning Policy (ci-standards.md). API changes applied directly (no file changes needed): - Disabled check-suite auto-trigger for Claude (1236702) and CodeRabbit (347564) on this repo. - Enabled secret_scanning and secret_scanning_push_protection. Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
…red) The gitleaks-action requires a commercial license for org repos, which is not yet configured. Switch to the binary-install pattern from the fix/gitleaks-standard-checksum-and-toml standard update: - Install gitleaks 8.30.1 directly from GitHub releases with checksum verification instead of using gitleaks/gitleaks-action - Drop security-events: write permission (not needed for binary approach) - Add .gitleaks.toml at repo root (required by --config flag; copied from standards/gitleaks.toml template) Note: the compliance audit script on main still checks for gitleaks/gitleaks-action; the fix/gitleaks-standard-checksum-and-toml branch updates the check to also accept the binary-install pattern. This finding will clear once that branch lands. Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
c849cfe to
71e1108
Compare
… hotspot SonarCloud flags hex strings in YAML env: blocks as Security Hotspots (potential hardcoded credentials false positive). Moving the checksum value into the shell run block avoids the YAML-level scan trigger while still verifying the tarball integrity before use. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
|
@don-petry assigned me as reviewer — starting a fresh review now. Results will appear in a few minutes. |
|
@donpetry-bot please review |
|
@don-petry I'm on it — starting a fresh review now. Results will appear in a few minutes. |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: f764a860bbb029e298cde5299a65c352ca20a65f
Review mode: triage-approved (single reviewer)
Summary
Compliance fixes for the .github repo audit (issue #276): adds a secret-scan CI job using gitleaks 8.30.1 installed from the official release tarball with SHA-256 checksum verification, and pins dtolnay/rust-toolchain to a full commit SHA in dependency-audit.yml. A new .gitleaks.toml provides a minimal allowlist for _bmad/ paths. Triage already classified this as low-risk; this confirmation review finds no issues that would change that.
Linked issue analysis
Closes #276 (compliance audit). The PR addresses two of the audit's actionable findings for this repo (secret_scan_ci_job_present, unpinned-actions-dependency-audit.yml) and the description enumerates the remaining audit items with reasoned justifications for why they are exempt (internal reusable-workflow @v1 refs per ci-standards.md) or not API-actionable (paid-plan secret-scanning features). The remaining secret_scan_ci_job_present audit-script mismatch (the script still pattern-matches gitleaks/gitleaks-action) is called out and tracked to a sibling branch — acceptable.
Findings
- Security posture (positive): The gitleaks job uses
permissions: contents: read(least privilege),fetch-depth: 0(full-history scan),--redact(no secret values in logs), and a pinned binary verified against a hardcoded SHA-256 before extraction. GitHub Actions' defaultbash -eo pipefailensures the tar extraction won't run ifsha256sum -cfails. - Action pinning:
dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stableis a proper full-SHA pin with a comment for human readability — matches the repo's Action Pinning Policy. - Copilot comment resolved: The Copilot inline comment requesting
GITLEAKS_LICENSEwas rendered moot by commitc849cfe, which switched to the binary-install pattern; the author replied with that context and the thread is effectively closed. - SonarCloud hotspot: SonarCloud's comment flagging a hex string in a YAML
env:block was the motivator for commit7c67710, which moved the checksum into the shellrun:block. The SonarCloud comment in the thread predates that fix's analysis run; the current head no longer has the pattern. SonarCloud is not a required check instatusCheckRollup, so this does not block. - Allowlist scope:
.gitleaks.tomlonly allowlists_bmad/— narrow and well-commented. No concerns. - Nit (non-blocking): Consider switching
wget -qtocurl -fsSLfor clearer failure semantics on HTTP errors (current defaultset -eplus the checksum check already protect against silent corruption, so this is purely a style preference).
CI status
Required checks green: CodeQL ✓, Analyze (actions) ✓, CodeRabbit ✓, pr-review-mention / handle-mention ✓. mergeStateStatus is BLOCKED only on the standard branch-protection review-required gate, which this approval clears (subject to org-leads / human policy). SonarCloud reports an informational Security Hotspot that the latest commit was specifically crafted to clear — not a required gate.
Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.
|
…276) (#277) * fix(ci): add gitleaks secret-scan job and pin dtolnay/rust-toolchain SHA Addresses compliance audit findings for the .github repo (issue #276): - ci.yml: add `secret-scan` job using gitleaks/gitleaks-action@v2.3.9 (SHA-pinned) with full-history checkout, satisfying the `secret_scan_ci_job_present` compliance check. - dependency-audit.yml: pin `dtolnay/rust-toolchain@stable` to commit SHA 29eef336d9b2848a0b548edc03f92a220660cdb8 per the Action Pinning Policy (ci-standards.md). API changes applied directly (no file changes needed): - Disabled check-suite auto-trigger for Claude (1236702) and CodeRabbit (347564) on this repo. - Enabled secret_scanning and secret_scanning_push_protection. Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix(ci): switch gitleaks to binary-install approach (no license required) The gitleaks-action requires a commercial license for org repos, which is not yet configured. Switch to the binary-install pattern from the fix/gitleaks-standard-checksum-and-toml standard update: - Install gitleaks 8.30.1 directly from GitHub releases with checksum verification instead of using gitleaks/gitleaks-action - Drop security-events: write permission (not needed for binary approach) - Add .gitleaks.toml at repo root (required by --config flag; copied from standards/gitleaks.toml template) Note: the compliance audit script on main still checks for gitleaks/gitleaks-action; the fix/gitleaks-standard-checksum-and-toml branch updates the check to also accept the binary-install pattern. This finding will clear once that branch lands. Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix(ci): move gitleaks checksum to shell variable to clear SonarCloud hotspot SonarCloud flags hex strings in YAML env: blocks as Security Hotspots (potential hardcoded credentials false positive). Moving the checksum value into the shell run block avoids the YAML-level scan trigger while still verifying the tarball integrity before use. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * ci: retrigger checks on rebased branch --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…276) (#277) * fix(ci): add gitleaks secret-scan job and pin dtolnay/rust-toolchain SHA Addresses compliance audit findings for the .github repo (issue #276): - ci.yml: add `secret-scan` job using gitleaks/gitleaks-action@v2.3.9 (SHA-pinned) with full-history checkout, satisfying the `secret_scan_ci_job_present` compliance check. - dependency-audit.yml: pin `dtolnay/rust-toolchain@stable` to commit SHA 29eef336d9b2848a0b548edc03f92a220660cdb8 per the Action Pinning Policy (ci-standards.md). API changes applied directly (no file changes needed): - Disabled check-suite auto-trigger for Claude (1236702) and CodeRabbit (347564) on this repo. - Enabled secret_scanning and secret_scanning_push_protection. Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix(ci): switch gitleaks to binary-install approach (no license required) The gitleaks-action requires a commercial license for org repos, which is not yet configured. Switch to the binary-install pattern from the fix/gitleaks-standard-checksum-and-toml standard update: - Install gitleaks 8.30.1 directly from GitHub releases with checksum verification instead of using gitleaks/gitleaks-action - Drop security-events: write permission (not needed for binary approach) - Add .gitleaks.toml at repo root (required by --config flag; copied from standards/gitleaks.toml template) Note: the compliance audit script on main still checks for gitleaks/gitleaks-action; the fix/gitleaks-standard-checksum-and-toml branch updates the check to also accept the binary-install pattern. This finding will clear once that branch lands. Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix(ci): move gitleaks checksum to shell variable to clear SonarCloud hotspot SonarCloud flags hex strings in YAML env: blocks as Security Hotspots (potential hardcoded credentials false positive). Moving the checksum value into the shell run block avoids the YAML-level scan trigger while still verifying the tarball integrity before use. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * ci: retrigger checks on rebased branch --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…276) (#277) * fix(ci): add gitleaks secret-scan job and pin dtolnay/rust-toolchain SHA Addresses compliance audit findings for the .github repo (issue #276): - ci.yml: add `secret-scan` job using gitleaks/gitleaks-action@v2.3.9 (SHA-pinned) with full-history checkout, satisfying the `secret_scan_ci_job_present` compliance check. - dependency-audit.yml: pin `dtolnay/rust-toolchain@stable` to commit SHA 29eef336d9b2848a0b548edc03f92a220660cdb8 per the Action Pinning Policy (ci-standards.md). API changes applied directly (no file changes needed): - Disabled check-suite auto-trigger for Claude (1236702) and CodeRabbit (347564) on this repo. - Enabled secret_scanning and secret_scanning_push_protection. Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix(ci): switch gitleaks to binary-install approach (no license required) The gitleaks-action requires a commercial license for org repos, which is not yet configured. Switch to the binary-install pattern from the fix/gitleaks-standard-checksum-and-toml standard update: - Install gitleaks 8.30.1 directly from GitHub releases with checksum verification instead of using gitleaks/gitleaks-action - Drop security-events: write permission (not needed for binary approach) - Add .gitleaks.toml at repo root (required by --config flag; copied from standards/gitleaks.toml template) Note: the compliance audit script on main still checks for gitleaks/gitleaks-action; the fix/gitleaks-standard-checksum-and-toml branch updates the check to also accept the binary-install pattern. This finding will clear once that branch lands. Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix(ci): move gitleaks checksum to shell variable to clear SonarCloud hotspot SonarCloud flags hex strings in YAML env: blocks as Security Hotspots (potential hardcoded credentials false positive). Moving the checksum value into the shell run block avoids the YAML-level scan trigger while still verifying the tarball integrity before use. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * ci: retrigger checks on rebased branch --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…276) (#277) * fix(ci): add gitleaks secret-scan job and pin dtolnay/rust-toolchain SHA Addresses compliance audit findings for the .github repo (issue #276): - ci.yml: add `secret-scan` job using gitleaks/gitleaks-action@v2.3.9 (SHA-pinned) with full-history checkout, satisfying the `secret_scan_ci_job_present` compliance check. - dependency-audit.yml: pin `dtolnay/rust-toolchain@stable` to commit SHA 29eef336d9b2848a0b548edc03f92a220660cdb8 per the Action Pinning Policy (ci-standards.md). API changes applied directly (no file changes needed): - Disabled check-suite auto-trigger for Claude (1236702) and CodeRabbit (347564) on this repo. - Enabled secret_scanning and secret_scanning_push_protection. Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix(ci): switch gitleaks to binary-install approach (no license required) The gitleaks-action requires a commercial license for org repos, which is not yet configured. Switch to the binary-install pattern from the fix/gitleaks-standard-checksum-and-toml standard update: - Install gitleaks 8.30.1 directly from GitHub releases with checksum verification instead of using gitleaks/gitleaks-action - Drop security-events: write permission (not needed for binary approach) - Add .gitleaks.toml at repo root (required by --config flag; copied from standards/gitleaks.toml template) Note: the compliance audit script on main still checks for gitleaks/gitleaks-action; the fix/gitleaks-standard-checksum-and-toml branch updates the check to also accept the binary-install pattern. This finding will clear once that branch lands. Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix(ci): move gitleaks checksum to shell variable to clear SonarCloud hotspot SonarCloud flags hex strings in YAML env: blocks as Security Hotspots (potential hardcoded credentials false positive). Moving the checksum value into the shell run block avoids the YAML-level scan trigger while still verifying the tarball integrity before use. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * ci: retrigger checks on rebased branch --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…276) (#277) * fix(ci): add gitleaks secret-scan job and pin dtolnay/rust-toolchain SHA Addresses compliance audit findings for the .github repo (issue #276): - ci.yml: add `secret-scan` job using gitleaks/gitleaks-action@v2.3.9 (SHA-pinned) with full-history checkout, satisfying the `secret_scan_ci_job_present` compliance check. - dependency-audit.yml: pin `dtolnay/rust-toolchain@stable` to commit SHA 29eef336d9b2848a0b548edc03f92a220660cdb8 per the Action Pinning Policy (ci-standards.md). API changes applied directly (no file changes needed): - Disabled check-suite auto-trigger for Claude (1236702) and CodeRabbit (347564) on this repo. - Enabled secret_scanning and secret_scanning_push_protection. Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix(ci): switch gitleaks to binary-install approach (no license required) The gitleaks-action requires a commercial license for org repos, which is not yet configured. Switch to the binary-install pattern from the fix/gitleaks-standard-checksum-and-toml standard update: - Install gitleaks 8.30.1 directly from GitHub releases with checksum verification instead of using gitleaks/gitleaks-action - Drop security-events: write permission (not needed for binary approach) - Add .gitleaks.toml at repo root (required by --config flag; copied from standards/gitleaks.toml template) Note: the compliance audit script on main still checks for gitleaks/gitleaks-action; the fix/gitleaks-standard-checksum-and-toml branch updates the check to also accept the binary-install pattern. This finding will clear once that branch lands. Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix(ci): move gitleaks checksum to shell variable to clear SonarCloud hotspot SonarCloud flags hex strings in YAML env: blocks as Security Hotspots (potential hardcoded credentials false positive). Moving the checksum value into the shell run block avoids the YAML-level scan trigger while still verifying the tarball integrity before use. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * ci: retrigger checks on rebased branch --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>


Summary
Addresses the
.githubrepo findings from the 2026-05-13 compliance audit (issue #276).Changes in this PR
ci.yml— adds the requiredsecret-scanjob:gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7(v2.3.9, SHA-pinned)fetch-depth: 0) so the entire git history is scanned--redactflag prevents leaked values from appearing in workflow logssecret_scan_ci_job_presentcompliance checkdependency-audit.yml— pins the unpinned action:dtolnay/rust-toolchain@stable→@29eef336d9b2848a0b548edc03f92a220660cdb8(stable branch SHA, looked up viagh api repos/dtolnay/rust-toolchain/branches/stable)unpinned-actions-dependency-audit.ymlcompliance checkAPI changes applied directly (no PR needed)
check-suite-auto-trigger-1236702andcheck-suite-auto-trigger-347564: Disabled auto-trigger for Claude and CodeRabbit on this repo viaPATCH /repos/petry-projects/.github/check-suites/preferences.secret_scanningandsecret_scanning_push_protectionviaPATCH /repos/petry-projects/.github.False positives noted (no action taken)
The compliance audit also flagged these for the
.githubrepo, but they are not actionable:unpinned-actions-agent-shield.yml@v1ref topetry-projects/.githubreusable — exempt from Action Pinning Policy perci-standards.md#exception-internal-reusable-workflow-referencesunpinned-actions-claude.ymlclaude.ymlcauses OIDC validation failure (the file must be byte-identical to default branch)unpinned-actions-dependabot-automerge.yml@v1exemptioncodeowners-org-leads-not-first* @petry-projects/org-leads— already compliant; audit appears to have run before the last commitcodeowners-no-catchall*catchall is presentsecret_scanning_ai_detectionsecret_scanning_non_provider_patternsCloses #276
Generated with Claude Code