Skip to content

ci: add gitleaks secret-scan job to ci.yml#78

Closed
don-petry wants to merge 45 commits into
mainfrom
claude/issue-69-20260414-1418
Closed

ci: add gitleaks secret-scan job to ci.yml#78
don-petry wants to merge 45 commits into
mainfrom
claude/issue-69-20260414-1418

Conversation

@don-petry

Copy link
Copy Markdown
Contributor

Summary

  • Adds the required secret-scan job to .github/workflows/ci.yml per the push-protection standard
  • Runs gitleaks in full-history mode (fetch-depth: 0) on every PR and push to main
  • Uses --redact to avoid leaking values in workflow logs
  • Uses --exit-code 1 to fail the build on any finding
  • Both action SHAs are pinned per the Action Pinning Policy

Test plan

  • CI passes (secret-scan job runs successfully)
  • No gitleaks findings in repository history

Closes #69

Generated with Claude Code

Adds the required `secret-scan` job per the push-protection standard
(petry-projects/.github standards/push-protection.md#required-ci-job).

The job runs gitleaks in full-history mode (`fetch-depth: 0`) on every
PR and push to main, with `--redact` to avoid leaking values in logs
and `--exit-code 1` to fail the build on any finding.

Both action SHAs are pinned per the Action Pinning Policy:
- actions/checkout: de0fac2e4500dabe0009e67214ff5f5447ce83dd (v6.0.2)
- gitleaks/gitleaks-action: ff98106e4c7b2bc287b24eaf42907196329070c7 (v2.3.9)

Closes #69

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 14, 2026 14:20
@coderabbitai

coderabbitai Bot commented Apr 14, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@don-petry, we couldn't start this review because you've used your available PR reviews for now.

Your plan currently allows 1 review/hour. Refill in 57 minutes and 2 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: be4651c5-262e-4086-a4b7-f35380434ddf

📥 Commits

Reviewing files that changed from the base of the PR and between 651ad66 and 834deaa.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-69-20260414-1418

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@don-petry

Copy link
Copy Markdown
Contributor Author

Self-review complete — no issues found. The job follows the standard template verbatim with correct SHA pins.

@don-petry — please review and merge when CI is green.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR brings the repository’s CI workflow into push-protection compliance by adding a required secret-scan job that runs gitleaks on pushes and pull requests to main.

Changes:

  • Add a secret-scan job to .github/workflows/ci.yml that runs gitleaks with full git history (fetch-depth: 0).
  • Configure gitleaks to redact secrets in logs and fail CI on any finding (--redact, --exit-code 1).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/ci.yml Outdated
Comment on lines +55 to +57
# Pin to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy).
# Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v4 --jq '.object.sha'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Copilot AI Apr 14, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The checkout pin guidance comments are inconsistent: the lookup command references tags/v4, but the uses: line is annotated # v6.0.2. Elsewhere in this repo the same SHA is labeled # v4 (see .github/workflows/codeql.yml). Please align the version annotation and the lookup command so future updates don’t get the wrong tag/SHA.

Copilot uses AI. Check for mistakes.

@don-petry don-petry left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — NEEDS HUMAN REVIEW

Risk: MEDIUM
Reviewed commit: 47dfe00bb5bc9e0a1d653b7eb1a0f0308dd6be64
Cascade: triage → audit (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

The failing 'Secret scan (gitleaks)' check is NOT evidence of leaked secrets — the CI log shows gitleaks-action v2 rejected the run because petry-projects is an organization and requires a paid GITLEAKS_LICENSE secret, which isn't configured. The deep reviewer's critical finding ('gitleaks found secrets in history') is a root-cause misinterpretation; gitleaks never executed. The PR itself introduces no new security vulnerabilities (SHA-pinned actions verified correct, permissions match org standard, --redact intended), but the job will never pass in its current form and a second misconfiguration (gitleaks-action v2 emits '##[warning]Unexpected input(s) args' — the action does not accept the 'args' input, so --redact/--exit-code 1 would be silently ignored even with a license). Escalating so a human can resolve the operational gap; the PR is not dangerous to merge from a leak standpoint but it is non-functional as written.

Findings

Major

  • [major] .github/workflows/ci.yml — The gitleaks job fails with [petry-projects] is an organization. License key is required. — gitleaks-action v2 requires a paid license (GITLEAKS_LICENSE secret) for organization accounts; this is a known breaking change documented in the action's README. The scanner never ran, so the FAILURE conclusion is not evidence of any secret in history. Resolution options: (a) add a GITLEAKS_LICENSE org-level secret and reference it, (b) switch to running the gitleaks binary directly (no action license required), or (c) use an alternative scanner (trufflehog, noseyparker). This also means the org-level push-protection standard template that this PR follows verbatim is broken for all petry-projects repos — fixing it here alone will leave the standard out of sync.

  • [major] .github/workflows/ci.yml — The CI log emits ##[warning]Unexpected input(s) args, valid inputs are [''] — gitleaks-action v2 does not accept an args input; it reads configuration from env vars (GITLEAKS_CONFIG, GITLEAKS_ENABLE_COMMENTS, GITLEAKS_ENABLE_SUMMARY, etc.) and auto-selects scan scope. Even after a license is provided, the intended flags --redact, --verbose, and --exit-code 1 would be silently dropped. Critically, this means --redact would NOT take effect, and if gitleaks later finds a real secret the raw value could be printed into public workflow logs. This is the most security-relevant issue in the PR.

Minor

  • [minor] .github/workflows/ci.yml — The 'Refresh with: gh api repos/gitleaks/gitleaks-action/git/refs/tags/v2' refresh hint would now return a SHA for a newer v2 release if the v2 tag has been advanced since this PR was authored, not the pinned v2.3.9. This is a verbatim copy from the org push-protection.md template, so changing it in this one repo would drift from the standard. Best fixed by updating the org-level standard to reference the specific tag (v2.3.9) and noting the 'dereference annotated tag' follow-up.

  • [minor] — PR was opened by a bot co-authored with don-petry and self-approved by don-petry via an auto-comment; CodeRabbit hit its hourly rate limit and did not review; Copilot posted an overview-only comment with no approval state. No independent human reviewer has signed off. For a change to required CI policy, a second human reviewer is advisable per org-wide agent standards.

Info

  • [info] .github/workflows/ci.yml — Both pinned SHAs are accurate: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd matches v6.0.2; gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 matches v2.3.9. No typosquatting, no mutable tag references in the uses: lines. Supply-chain hygiene is correct.

  • [info] .github/workflows/ci.yml — Job-scoped permissions are {contents: read, security-events: write}, matching the org push-protection.md template exactly. security-events: write is required by gitleaks-action v2's internal SARIF upload path; this is the narrowest scope that supports the advertised feature and is confined to one job. GITHUB_TOKEN is not propagated to other steps. No pull_request_target, no expression injection surface in run: blocks, no untrusted user input interpolated into shell.

  • [info] — Diff is isolated to .github/workflows/ci.yml (+24/-0). No application code, no dependencies, no secrets committed to the repo, no CORS/auth/crypto/data-exposure surface changed. AgentShield, CodeQL (actions), SonarCloud, and dependency-audit all pass. There is no evidence in this PR of any credential or PII being added to the repo, and no change to runtime code paths.

CI status

CI is BLOCKED — the gitleaks job fails due to a missing GITLEAKS_LICENSE org secret (gitleaks-action v2 organization licensing requirement). All other CI checks (AgentShield, CodeQL, SonarCloud, dependency-audit) pass. The PR merge state is BLOCKED.


Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

@don-petry

Copy link
Copy Markdown
Contributor Author

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

  • [major] .github/workflows/ci.ymlgitleaks-action v2 requires a paid GITLEAKS_LICENSE secret for organization accounts; the scanner never ran. Resolution: (a) add a GITLEAKS_LICENSE org-level secret and reference it in the workflow, (b) switch to running the gitleaks binary directly (no action license required), or (c) use an alternative scanner (trufflehog, noseyparker). Note that the org-level push-protection standard template is also broken for all petry-projects repos — coordinate with the org template owner.

  • [major] .github/workflows/ci.ymlgitleaks-action v2 does not accept an args input (##[warning]Unexpected input(s) args). Remove the args: input and instead configure gitleaks via the supported env vars (GITLEAKS_CONFIG, etc.). Without this fix --redact would NOT take effect even if a license is provided, risking raw secret values appearing in public workflow logs.

  • [minor] .github/workflows/ci.yml — The SHA refresh hint references the v2 mutable tag; update it to reference the specific tag (v2.3.9) or remove the hint and note the pinned SHA directly.

  • [minor] — Obtain an independent human review sign-off for this change to required CI policy (CodeRabbit was rate-limited; Copilot did not approve; current approval is self-review only).

Additional tasks

  1. Resolve all unresolved review thread comments from other reviewers
  2. Ensure all CI checks pass after your changes
  3. Rebase on main if the branch is behind
  4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

github-actions Bot and others added 4 commits April 21, 2026 04:17
@don-petry

Copy link
Copy Markdown
Contributor Author

CI fix: replaced gitleaks/gitleaks-action with direct CLI install

The Secret scan (gitleaks) job was failing with:

[petry-projects] is an organization. License key is required.

gitleaks/gitleaks-action requires a paid license for GitHub org repos. This commit replaces it with a direct CLI install approach that:

  • Downloads gitleaks v8.30.1 binary via wget
  • Verifies the download with sha256sum
  • Runs gitleaks detect directly (no license needed)

Also removed the now-unnecessary security-events: write permission from the job.

@github-actions github-actions Bot requested a review from a team as a code owner May 4, 2026 20:38
@don-petry

Copy link
Copy Markdown
Contributor Author

@claude Please address all open review comments on this PR from CodeRabbit and Copilot.

@claude

claude Bot commented May 6, 2026

Copy link
Copy Markdown

Claude encountered an error —— View job


I'll analyze this and get back to you.

@don-petry

Copy link
Copy Markdown
Contributor Author

@dev-lead - please fix this PR

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead Fix CI — failed

PR: #78 | SHA: 9a4724db0f1e03971539f65d95d508cb1a6d3f66
Engine invocation failed (exit 41)

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead Fix CI — failed

PR: #78 | SHA: 1b698826be4a987cdb15d69027f292c91308beae
Engine invocation failed (exit 41)

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead Fix CI — exhausted

This PR has had 2 consecutive engine failures (timeouts or errors). Automated CI fixing has been paused to avoid consuming further tokens.

Reason for last failure: Engine invocation failed (exit 41)

To re-enable, delete this comment or push a new commit with a substantially different change.

@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry don-petry enabled auto-merge (squash) June 1, 2026 12:39
@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Closing due to merge conflict that cannot be auto-rebased. Re-implementing from fresh main via dev-lead.

@don-petry don-petry closed this Jun 2, 2026
auto-merge was automatically disabled June 2, 2026 12:21

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: secret_scan_ci_job_present

4 participants