security: add gitleaks secret-scan CI job and expand .gitignore to org baseline#189
security: add gitleaks secret-scan CI job and expand .gitignore to org baseline#189don-petry wants to merge 3 commits into
Conversation
…g baseline - Add `secret-scan` job to ci.yml using gitleaks-action (SHA-pinned) with full history scan (fetch-depth: 0), --redact flag, and exit-code 1 - Replace minimal .gitignore with the petry-projects org secrets baseline, which adds *.pem, *.key, and all required credential-file patterns - Preserve existing repo-specific entries (node_modules, coverage, etc.) Closes #170 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
|
Hey @don-petry — this PR is ready for your review and merge. The two code-level compliance gaps are addressed; the remaining |
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 55 minutes and 48 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
There was a problem hiding this comment.
Pull request overview
Adds organization-standard secret leak prevention by introducing a CI secret scan and expanding the repository’s secrets-focused .gitignore baseline.
Changes:
- Add a
secret-scanjob to CI usinggitleaks/gitleaks-actionwith full-history checkout. - Replace the minimal
.gitignorewith the petry-projects secrets-only baseline while preserving repo-specific build/test ignores.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.gitignore |
Expands to org secrets-only baseline patterns and keeps repo-specific artifact ignores at the end. |
.github/workflows/ci.yml |
Adds a new secret-scan job running gitleaks with SHA-pinned actions and full-history checkout. |
| # Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v4 --jq '.object.sha' | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
The checkout pinning comment is internally inconsistent: it instructs looking up the SHA for the v4 tag, but the pinned SHA is annotated as v6.0.2 (and elsewhere in this repo the same SHA is labeled # v6). Please update the lookup command and the trailing version comment so they reference the same tag/major version as the SHA you intend to pin; otherwise future updates are more likely to pin the wrong ref.
| # Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v4 --jq '.object.sha' | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| # Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v6 --jq '.object.sha' | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 |
don-petry
left a comment
There was a problem hiding this comment.
Automated review — NEEDS HUMAN REVIEW
Risk: HIGH
Reviewed commit: 22ad823022c4f4c2084e5f3f6891a007795703f8
Cascade: triage → audit (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)
Summary
This PR's own 'Secret scan (gitleaks)' CI job FAILED with '🛑 missing gitleaks license'. gitleaks/gitleaks-action@v2 requires a paid GITLEAKS_LICENSE secret for organization repos (petry-projects is an org). The job log also emits ##[warning]Unexpected input(s) args, valid inputs are [''] — the args: input the PR passes is silently ignored by the action, so even if licensed, --redact/--exit-code 1 would NOT take effect. The PR ships a nominally-named secret-scan gate that is actually non-functional, which is worse than no gate at all: it creates a false sense of security while failing permanently. Hard gate failure + advertising a broken security control = escalate.
Findings
Critical
- [critical]
.github/workflows/ci.yml:123— The new 'Secret scan (gitleaks)' check concluded FAILURE. Root cause from job 71257515170 log:This organization requires a gitleaks license. Get one at gitleaks.io and store as GitHub Secret GITLEAKS_LICENSE.gitleaks/gitleaks-action v2 requires a paid commercial license for organization-owned repos. Either (a) add the GITLEAKS_LICENSE secret and document procurement, (b) replace gitleaks-action with a directgitleaksCLI invocation (the binary itself is open-source and has no license requirement), or (c) switch to trufflehog/noseyparker.
Major
- [major]
.github/workflows/ci.yml:123— The job log shows##[warning]Unexpected input(s) args, valid inputs are ['']. gitleaks-action v2 does NOT accept anargs:input — it is controlled entirely by env vars (GITLEAKS_ENABLE_COMMENTS, GITLEAKS_CONFIG, etc.). The PR'sargs: detect --source . --redact --verbose --exit-code 1is silently discarded. Even if the license issue were solved,--redactand--exit-code 1would not apply — a real future hit would be printed unredacted in public CI logs.
Minor
- [minor]
.github/workflows/ci.yml:113— SHA-pin refresh comment mismatch: the inline command saysrefs/tags/v4but the pin label says# v6.0.2. A future maintainer following that command would silently downgrade the action by two majors. Fix torefs/tags/v6.0.2. Same issue on the gitleaks-action refresh comment. - [minor]
.gitignore— Patterns like.npmrc,.yarnrc.yml,nuget.config,gradle.properties,secrets.yamlare broad and may block committing non-secret org/registry config. No immediate impact on this PR but worth narrowing for downstream consumers of this baseline.
Info
- [info]
.github/workflows/ci.yml— Positive: permissions block is correctly minimal; negation-ordering in .gitignore is correct; nopull_request_target, no secret exposure in expressions, no shell injection, no curl|bash, no unpinned third-party actions. Workflow design is sound; only execution is broken. - [info]
.github/workflows/ci.yml:123— gitleaks-action@v2.3.9 runs on Node 20, which GitHub removes 2026-09-16. Another reason to consider invoking gitleaks CLI directly.
CI status
mergeStateStatus: BLOCKED — the new 'Secret scan (gitleaks)' job is failing due to the missing GITLEAKS_LICENSE. The PR cannot be merged in its current state.
Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.



Summary
secret-scanjob toci.ymlusing SHA-pinnedgitleaks-action@v2.3.9with full history scan (fetch-depth: 0),--redactflag, and--exit-code 1.gitignorewith the fullpetry-projectsorg secrets baseline, adding*.pem,*.key, and all required credential-file patterns per the push-protection standardnode_modules/,coverage/, etc.) below the baselineCompliance fixes (issue #170)
secret_scan_ci_job_presentgitignore_secrets_block.envonly)Closes #170
Generated with Claude Code