Skip to content

security: add gitleaks secret-scan CI job and expand .gitignore to org baseline#189

Closed
don-petry wants to merge 3 commits into
mainfrom
claude/issue-170-20260414-1141
Closed

security: add gitleaks secret-scan CI job and expand .gitignore to org baseline#189
don-petry wants to merge 3 commits into
mainfrom
claude/issue-170-20260414-1141

Conversation

@don-petry

Copy link
Copy Markdown
Collaborator

Summary

  • Add secret-scan job to ci.yml using SHA-pinned gitleaks-action@v2.3.9 with full history scan (fetch-depth: 0), --redact flag, and --exit-code 1
  • Replace the minimal 5-line .gitignore with the full petry-projects org secrets baseline, adding *.pem, *.key, and all required credential-file patterns per the push-protection standard
  • Preserve existing repo-specific build-artifact entries (node_modules/, coverage/, etc.) below the baseline

Compliance fixes (issue #170)

Check Before After
secret_scan_ci_job_present ✗ missing ✓ added
gitignore_secrets_block partial (.env only) ✓ full baseline

Note: secret_scanning_non_provider_patterns and secret_scanning_ai_detection remain disabled — these appear to require a higher GitHub plan tier and cannot be toggled via the API with the current token. The remaining compliance findings will need to be addressed by a repository admin via GitHub Settings → Code security and analysis.

Closes #170

Generated with Claude Code

…g baseline

- Add `secret-scan` job to ci.yml using gitleaks-action (SHA-pinned) with
  full history scan (fetch-depth: 0), --redact flag, and exit-code 1
- Replace minimal .gitignore with the petry-projects org secrets baseline,
  which adds *.pem, *.key, and all required credential-file patterns
- Preserve existing repo-specific entries (node_modules, coverage, etc.)

Closes #170

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 14, 2026 11:44
@don-petry

Copy link
Copy Markdown
Collaborator Author

Hey @don-petry — this PR is ready for your review and merge. The two code-level compliance gaps are addressed; the remaining secret_scanning_non_provider_patterns / secret_scanning_ai_detection flags appear to need a higher plan tier and must be toggled manually via GitHub Settings → Code security and analysis.

@coderabbitai

coderabbitai Bot commented Apr 14, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 55 minutes and 48 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 55 minutes and 48 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4c4d833c-fc33-48be-8960-99b4dbc76ddb

📥 Commits

Reviewing files that changed from the base of the PR and between 56ee75a and 21482d7.

📒 Files selected for processing (2)
  • .github/workflows/ci.yml
  • .gitignore
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-170-20260414-1141

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud

Copy link
Copy Markdown

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds organization-standard secret leak prevention by introducing a CI secret scan and expanding the repository’s secrets-focused .gitignore baseline.

Changes:

  • Add a secret-scan job to CI using gitleaks/gitleaks-action with full-history checkout.
  • Replace the minimal .gitignore with the petry-projects secrets-only baseline while preserving repo-specific build/test ignores.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
.gitignore Expands to org secrets-only baseline patterns and keeps repo-specific artifact ignores at the end.
.github/workflows/ci.yml Adds a new secret-scan job running gitleaks with SHA-pinned actions and full-history checkout.

Comment thread .github/workflows/ci.yml
Comment on lines +115 to +116
# Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v4 --jq '.object.sha'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Copilot AI Apr 14, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The checkout pinning comment is internally inconsistent: it instructs looking up the SHA for the v4 tag, but the pinned SHA is annotated as v6.0.2 (and elsewhere in this repo the same SHA is labeled # v6). Please update the lookup command and the trailing version comment so they reference the same tag/major version as the SHA you intend to pin; otherwise future updates are more likely to pin the wrong ref.

Suggested change
# Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v4 --jq '.object.sha'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
# Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v6 --jq '.object.sha'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

Copilot uses AI. Check for mistakes.

@don-petry don-petry left a comment

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — NEEDS HUMAN REVIEW

Risk: HIGH
Reviewed commit: 22ad823022c4f4c2084e5f3f6891a007795703f8
Cascade: triage → audit (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

This PR's own 'Secret scan (gitleaks)' CI job FAILED with '🛑 missing gitleaks license'. gitleaks/gitleaks-action@v2 requires a paid GITLEAKS_LICENSE secret for organization repos (petry-projects is an org). The job log also emits ##[warning]Unexpected input(s) args, valid inputs are [''] — the args: input the PR passes is silently ignored by the action, so even if licensed, --redact/--exit-code 1 would NOT take effect. The PR ships a nominally-named secret-scan gate that is actually non-functional, which is worse than no gate at all: it creates a false sense of security while failing permanently. Hard gate failure + advertising a broken security control = escalate.

Findings

Critical

  • [critical] .github/workflows/ci.yml:123 — The new 'Secret scan (gitleaks)' check concluded FAILURE. Root cause from job 71257515170 log: This organization requires a gitleaks license. Get one at gitleaks.io and store as GitHub Secret GITLEAKS_LICENSE. gitleaks/gitleaks-action v2 requires a paid commercial license for organization-owned repos. Either (a) add the GITLEAKS_LICENSE secret and document procurement, (b) replace gitleaks-action with a direct gitleaks CLI invocation (the binary itself is open-source and has no license requirement), or (c) switch to trufflehog/noseyparker.

Major

  • [major] .github/workflows/ci.yml:123 — The job log shows ##[warning]Unexpected input(s) args, valid inputs are ['']. gitleaks-action v2 does NOT accept an args: input — it is controlled entirely by env vars (GITLEAKS_ENABLE_COMMENTS, GITLEAKS_CONFIG, etc.). The PR's args: detect --source . --redact --verbose --exit-code 1 is silently discarded. Even if the license issue were solved, --redact and --exit-code 1 would not apply — a real future hit would be printed unredacted in public CI logs.

Minor

  • [minor] .github/workflows/ci.yml:113 — SHA-pin refresh comment mismatch: the inline command says refs/tags/v4 but the pin label says # v6.0.2. A future maintainer following that command would silently downgrade the action by two majors. Fix to refs/tags/v6.0.2. Same issue on the gitleaks-action refresh comment.
  • [minor] .gitignore — Patterns like .npmrc, .yarnrc.yml, nuget.config, gradle.properties, secrets.yaml are broad and may block committing non-secret org/registry config. No immediate impact on this PR but worth narrowing for downstream consumers of this baseline.

Info

  • [info] .github/workflows/ci.yml — Positive: permissions block is correctly minimal; negation-ordering in .gitignore is correct; no pull_request_target, no secret exposure in expressions, no shell injection, no curl|bash, no unpinned third-party actions. Workflow design is sound; only execution is broken.
  • [info] .github/workflows/ci.yml:123 — gitleaks-action@v2.3.9 runs on Node 20, which GitHub removes 2026-09-16. Another reason to consider invoking gitleaks CLI directly.

CI status

mergeStateStatus: BLOCKED — the new 'Secret scan (gitleaks)' job is failing due to the missing GITLEAKS_LICENSE. The PR cannot be merged in its current state.


Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

@don-petry

Copy link
Copy Markdown
Collaborator Author

Closing as duplicate of #214 — same fix for issue #189. The newest attempt is kept open.

@don-petry don-petry closed this May 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: security_and_analysis_unavailable

2 participants