Skip to content

security: add gitleaks secret-scan CI job and expand .gitignore to org baseline#214

Closed
don-petry wants to merge 6 commits into
mainfrom
claude/issue-170-20260419-2133
Closed

security: add gitleaks secret-scan CI job and expand .gitignore to org baseline#214
don-petry wants to merge 6 commits into
mainfrom
claude/issue-170-20260419-2133

Conversation

@don-petry

@don-petry don-petry commented Apr 19, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Add SHA-pinned gitleaks/gitleaks-action@ff98106 secret-scan job to ci.yml, scanning full git history on every PR and push to main (per push-protection standard Layer 3)
  • Replace minimal .gitignore (.env only) with full petry-projects secrets baseline covering dotenv family, cloud credentials, SSH/TLS/GPG keys, IaC secrets, Kubernetes secrets, package registry credential dotfiles, IDE credential caches, and modern AI tooling config files

Compliance checks addressed

Check Before After
secret_scan_ci_job_present ✗ missing ✓ added
gitignore_secrets_block ✗ partial (.env only) ✓ full org baseline

Note: The security_and_analysis_unavailable finding (token lacks admin scope or plan limitation) cannot be resolved via code changes — it requires a human to enable Secret Scanning and Push Protection in GitHub repository settings (Settings → Code security and analysis).

Test plan

  • CI build-and-test job passes
  • CI secret-scan job runs and passes (no secrets in repo history)
  • .gitignore contains .env, *.pem, *.key entries (compliance check satisfied)

Closes #170

Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Added automated secret scanning to the CI/CD pipeline to detect and prevent credential leaks in the repository.
    • Updated repository configuration to protect sensitive files from being accidentally committed.

Copilot AI review requested due to automatic review settings April 19, 2026 21:36
@coderabbitai

coderabbitai Bot commented Apr 19, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 19 minutes and 22 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: fc1c0968-cf65-419b-8f4f-0009eb8d6fcf

📥 Commits

Reviewing files that changed from the base of the PR and between 539b160 and 96dddd8.

📒 Files selected for processing (1)
  • .gitignore
📝 Walkthrough

Walkthrough

The pull request adds GitHub Actions secret scanning via gitleaks and expands the repository's gitignore to comprehensively exclude secret files, credential artifacts, and sensitive configuration across multiple formats and tools.

Changes

Cohort / File(s) Summary
CI Workflow Secret Scanning
.github/workflows/ci.yml
Added secret-scan job that runs gitleaks action to detect secrets in the repository with redaction and verbose output, configured to fail on findings.
Gitignore Secrets Baseline
.gitignore
Replaced minimal ignore rules with comprehensive secrets-only baseline covering dotenv variants, cloud credentials, Kubernetes secrets, private keys/certificates, Terraform state, secret manager artifacts, database dumps, package manager credentials, IDE credential files, and generic secret/credential filename patterns.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

  • The changes directly address the compliance finding in the linked issue by implementing the required secret-scan GitHub Actions job using gitleaks to detect and prevent secrets from being committed, satisfying push-protection security requirements.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically summarizes the main changes: adding a gitleaks secret-scan CI job and expanding .gitignore to organization baseline.
Linked Issues check ✅ Passed The PR implements the main coding remediation for issue #170 by adding the gitleaks secret-scan CI job and updating .gitignore with security-focused rules.
Out of Scope Changes check ✅ Passed All changes are directly related to addressing security compliance requirements from issue #170; no out-of-scope modifications detected.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-170-20260419-2133

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@don-petry

Copy link
Copy Markdown
Collaborator Author

@don-petry — PR is ready for review.

Summary of changes:

  • Added secret-scan job using gitleaks/gitleaks-action@ff98106 (SHA-pinned per ci-standards) to ci.yml
  • Replaced the minimal .gitignore with the full petry-projects secrets baseline

One manual step required:
The Secret scan (gitleaks) CI job will fail until a GITLEAKS_LICENSE secret is configured for this repository (or org-wide). gitleaks-action v2.x requires a license key for organization repositories.

  • Get a free OSS license at https://gitleaks.io/products.html
  • Add it as a repository secret named GITLEAKS_LICENSE in Settings → Secrets and variables → Actions
  • Or add it org-wide in the petry-projects org settings

The compliance check secret_scan_ci_job_present will be satisfied once this PR merges (the check looks for gitleaks/gitleaks-action in ci.yml). The job itself requires the license to run.

Note: The root security_and_analysis_unavailable compliance finding (the issue title) cannot be resolved via code — it requires the compliance audit token to have admin scope, or enabling Secret Scanning manually via Settings → Code security and analysis.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
.gitignore (2)

141-143: Negations for patterns that are never ignored.

!*.crt, !ca.crt, and !*.cert re-include files that aren't matched by any preceding ignore rule in this file, so these lines are no-ops today. They're harmless but slightly misleading — either add matching *.crt / *.cert ignores above (certs can embed private keys in some formats, but conventionally don't) or drop these negations. Non-blocking.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.gitignore around lines 141 - 143, The negation lines "!*.crt", "!ca.crt",
and "!*.cert" are no-ops because there are no preceding ignore rules that would
match those patterns; either remove these three negation lines to avoid
confusion or add corresponding ignore rules (e.g., "*.crt" and "*.cert" or
"ca.crt" earlier in the file) so the negations make sense; update the .gitignore
by deleting the "!*.crt", "!ca.crt", and "!*.cert" entries or by adding matching
ignore patterns above them.

23-38: Minor: redundant .env patterns.

Lines 26 (.env.local) and 27 (.env.*.local) are already fully covered by .env.* on line 24, and .envrc.local on line 37 is covered by .envrc on line 25 only if you treat .envrc as a prefix — it isn't, so .envrc.local on line 37 is actually needed. The two .env.local / .env.*.local entries can be dropped for clarity without changing behavior. Non-blocking.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.gitignore around lines 23 - 38, Remove the redundant .env patterns: drop
the entries ".env.local" and ".env.*.local" since ".env.*" already covers them;
keep ".env.*", ".envrc", and the explicitly needed ".envrc.local" (because
".envrc" is not a prefix match) and preserve the committed templates like
"!.env.example" etc.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 118-126: The gitleaks action block uses the unsupported with: args
input and misses the required GITLEAKS_LICENSE secret for organization repos;
update the job to either (A) switch to running the gitleaks CLI directly (invoke
gitleaks with flags like --redact, --verbose, --exit-code via a run step) or (B)
if keeping gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7,
remove the with: args line and move the desired flags into environment variables
supported by the action, and add GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE
}} under env so organization repos have a license; also remove the unnecessary
permissions scope security-events: write if you are not uploading SARIF results.

---

Nitpick comments:
In @.gitignore:
- Around line 141-143: The negation lines "!*.crt", "!ca.crt", and "!*.cert" are
no-ops because there are no preceding ignore rules that would match those
patterns; either remove these three negation lines to avoid confusion or add
corresponding ignore rules (e.g., "*.crt" and "*.cert" or "ca.crt" earlier in
the file) so the negations make sense; update the .gitignore by deleting the
"!*.crt", "!ca.crt", and "!*.cert" entries or by adding matching ignore patterns
above them.
- Around line 23-38: Remove the redundant .env patterns: drop the entries
".env.local" and ".env.*.local" since ".env.*" already covers them; keep
".env.*", ".envrc", and the explicitly needed ".envrc.local" (because ".envrc"
is not a prefix match) and preserve the committed templates like "!.env.example"
etc.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ad93d805-ebcc-48fd-8614-9ae6c0206bb0

📥 Commits

Reviewing files that changed from the base of the PR and between 92719c9 and 539b160.

📒 Files selected for processing (2)
  • .github/workflows/ci.yml
  • .gitignore

Comment thread .github/workflows/ci.yml

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds repository-level secret leak prevention by introducing a CI gitleaks scan and adopting the petry-projects secrets-focused .gitignore baseline, aligning the repo with the push-protection compliance standard.

Changes:

  • Added a SHA-pinned secret-scan CI job using gitleaks/gitleaks-action with full git history checkout.
  • Replaced the minimal .gitignore with an org baseline focused on ignoring common secret/credential files, while retaining repo-specific ignores.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
.gitignore Replaced with an expanded secrets-only baseline plus repo-specific ignore entries.
.github/workflows/ci.yml Added secret-scan job to run gitleaks on PRs and pushes to main.

Comment thread .github/workflows/ci.yml
fetch-depth: 0

- name: Run gitleaks
# Pinned to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy).

Copilot AI Apr 19, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment references ci-standards.md#action-pinning-policy, but there doesn’t appear to be a ci-standards.md in this repo. Consider linking to an existing in-repo doc (e.g., AGENTS.md or a security/CI standards file) or removing the reference to avoid a dead link.

Suggested change
# Pinned to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy).
# Pinned to a commit SHA per repository guidance in AGENTS.md.

Copilot uses AI. Check for mistakes.
@github-actions

github-actions Bot commented May 3, 2026

Copy link
Copy Markdown
Contributor

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Collaborator Author

@claude Please address all open review comments on this PR from CodeRabbit and Copilot.

@claude

claude Bot commented May 6, 2026

Copy link
Copy Markdown

Claude finished @don-petry's task in 1m 38s —— View job


Addressing PR Review Comments

  • Read current state of changed files
  • Fix .gitignore - remove redundant .env.local and .env.*.local patterns (CodeRabbit nitpick)
  • Fix .gitignore - remove no-op negations !*.crt, !ca.crt, !*.cert (CodeRabbit nitpick)
  • Address ci.yml review comments — see note below

Changes made

.gitignore (commit 8e82269):

  • Removed .env.local and .env.*.local — already fully covered by .env.* on the line above
  • Removed !*.crt, !ca.crt, !*.cert — these were no-ops (no preceding rule ignores *.crt or *.cert patterns, so the negations had no effect)

ci.yml review comments — cannot modify workflow files

I'm unable to directly modify files in .github/workflows/ due to GitHub App permission constraints.

Good news: Looking at the current ci.yml, the two main CodeRabbit issues appear to have already been fixed in a prior commit (e76cde7):

  • with: args: input removed (gitleaks-action v2 doesn't support it)
  • GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} added to env:

Two remaining ci.yml items require a human to fix:

  1. security-events: write permission (CodeRabbit) — line 110: This permission is only needed for SARIF uploads. Since the job doesn't upload SARIF results, it can be removed from the secret-scan job's permissions: block.

  2. Dead doc reference (Copilot) — line 119: The comment references ci-standards.md#action-pinning-policy which doesn't exist in this repo. It should be updated to reference AGENTS.md instead:

    # Pinned to a commit SHA per repository guidance in AGENTS.md.

You can find more information and potential workarounds in the FAQ.
|

github-actions Bot and others added 2 commits May 13, 2026 12:06
…g baseline

- Add SHA-pinned `gitleaks/gitleaks-action@ff98106` secret-scan job to ci.yml
  scanning full git history on every PR and push to main (per push-protection
  standard Layer 3 requirements)
- Replace minimal .gitignore with full petry-projects secrets baseline covering
  dotenv, cloud credentials, SSH/TLS keys, IaC secrets, package registry creds,
  IDE credential caches, and modern AI tooling config files

Closes #170

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Remove .env.local and .env.*.local (already covered by .env.*).
Remove !*.crt, !ca.crt, !*.cert negations which are no-ops since
no preceding rule ignores those patterns (per CodeRabbit review).

Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
@don-petry don-petry force-pushed the claude/issue-170-20260419-2133 branch from 8e82269 to 157f3ac Compare May 13, 2026 17:06
donpetry-bot
donpetry-bot previously approved these changes May 17, 2026

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 3ac8c53d0ec86d26cf388331c53a558709ceb02f
Review mode: triage-approved (single reviewer)

Summary

Confirmation pass on a triage-approved PR. The diff is entirely additive .gitignore content (+390/-1) adopting the petry-projects org secrets baseline — dotenv family, cloud credentials, SSH/TLS/GPG key material, IaC state, secret-manager caches, package-registry credential dotfiles, IDE credential caches, and modern AI-tooling config files. No executable code, no workflow changes in this diff (the secret-scan ci.yml job referenced in the PR description appears to have already landed on main via earlier merges). Triage's low-risk classification is correct.

Linked issue analysis

Closes #170 (push-protection compliance baseline). The .gitignore half of the remediation is satisfied here: the file contains .env, *.pem, and *.key entries (and the rest of the org baseline), which fulfills the gitignore_secrets_block compliance check. The secret_scan_ci_job_present check is satisfied by the ci.yml job already present on main. As the PR author notes, the residual security_and_analysis_unavailable finding is an admin/settings action and cannot be resolved in code.

Findings

  • Prior review feedback resolved. CodeRabbit's nitpicks on (a) redundant .env.local / .env.*.local (already covered by .env.*) and (b) no-op !*.crt / !ca.crt / !*.cert negations were addressed in commit 157f3ac; neither pattern appears in the current diff.
  • Patterns look correct. Negations are placed immediately after the broad pattern they carve out of (per the file's own ordering rule). Public-artifact re-allows (!*.pub, !public.pem, !*.enc.yaml, !*.sops.yaml, !*.tfvars.example, etc.) are sensible. Inline comments call out known false-positive surfaces (*.pem / *.key for TLS fixtures) and point to the right escape hatch (per-file ! overrides in per-repo .gitignore).
  • No security concerns. The change only adds ignore patterns; it cannot expose secrets, only help prevent committing them. The only behavioral risk would be accidentally ignoring a file that the repo currently tracks — but git won't untrack already-tracked files via .gitignore alone, so this is a no-op for existing tracked content.
  • No new findings introduced by this review.

CI status

All green: CodeQL (actions, javascript-typescript, python) SUCCESS, CodeRabbit SUCCESS, Sonar Quality Gate passed (0 new issues, 0 hotspots). mergeStateStatus is BLOCKED only because reviewDecision is REVIEW_REQUIRED — this review unblocks it.


Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

@sonarqubecloud

Copy link
Copy Markdown

@donpetry-bot

Copy link
Copy Markdown
Contributor

Review — fix requested (cycle 2/3)

The automated review identified the following issues. Please address each one:

Findings to fix

Automated review — NEEDS HUMAN REVIEW

Risk: LOW
Reviewed commit: 96dddd80f54c79a78093c3e98e6907d47af0b596
Cascade: triage → deep (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7)

Summary

The .gitignore expansion is a well-structured, secrets-only org baseline with no executable code changes — risk is LOW. However, the PR has an active merge conflict (mergeStateStatus: DIRTY) blocking merge; human intervention is required to resolve it before this PR can land. A prior automated review already approved the content at the previous SHA.

Findings

  • MAJOR: PR is CONFLICTING (mergeStateStatus: DIRTY) and cannot be merged. The branch last synced main on 2026-05-19; a change to .gitignore on main since then conflicts with this PR's additions. The auto-rebase bot also failed on 2026-05-03. A human must resolve conflicts and push a clean commit before this PR can proceed.
  • MINOR: PR description claims to add a 'gitleaks/gitleaks-action@ff98106' secret-scan job to ci.yml, but the current diff contains only .gitignore changes. According to the prior automated review and commit history, the ci.yml change appears to have already landed on main via earlier merges. The description should be updated to reflect that this PR now only delivers the .gitignore baseline. This is not a security concern but may confuse reviewers.
  • INFO: All CI checks are green: CodeQL (actions, javascript-typescript, python) SUCCESS; SonarQube Cloud quality gate passed (0 new issues, 0 security hotspots). No security scanner warnings.
  • INFO: A prior automated review (donpetry-bot) APPROVED this PR at SHA 3ac8c53 with risk=LOW. The current HEAD 96dddd8 is an automated merge commit from main — no new logic was introduced since that approval. The .gitignore content reviewed here matches the approved baseline.
  • INFO: .gitignore additions cover 13 well-documented sections: dotenv family, cloud provider credentials (AWS/GCP/Azure/DO/Fly/Vercel), Kubernetes/Helm secrets, SSH/TLS/GPG key material, Terraform/IaC state, secret manager caches (SOPS/Vault/Doppler/1Password), database dumps, package registry credential dotfiles (.npmrc/.gem/.cargo/.m2), cloud CLI token caches, IDE credential files (JetBrains/VS Code/Cursor), generic secret filename conventions, modern AI-tooling config (2024-2026 hotspots), and agent worktrees. Negations are placed immediately after the broad patterns they carve out of per the file's own ordering rule. Public-artifact re-allows (!.pub, !.enc.yaml, !*.sops.yaml, etc.) are sensible and well-commented. No behavioral issues found.
  • INFO: CodeRabbit flagged two nitpicks in the original commit: (1) redundant .env.local / .env..local patterns (already covered by .env.), and (2) no-op !.crt / !ca.crt / !.cert negations. Both were addressed in commit 157f3ac per the Claude bot comment. Neither pattern appears in the current diff.
  • INFO: Issue Compliance: security_and_analysis_unavailable #170 (Compliance: security_and_analysis_unavailable) is already CLOSED. The .gitignore half of the remediation satisfies the gitignore_secrets_block compliance check. The residual security_and_analysis_unavailable finding requires admin-scoped Settings changes and cannot be resolved via code, as documented in the PR.

Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7). Reply if you need a human review.

Additional tasks

  1. Resolve all unresolved review thread comments from other reviewers
  2. Ensure all CI checks pass after your changes
  3. Rebase on the target branch if behind
  4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

@donpetry-bot donpetry-bot dismissed their stale review June 2, 2026 03:33

Superseded by automated re-review at 96dddd8.

@don-petry

Copy link
Copy Markdown
Collaborator Author

Closing due to merge conflict that cannot be auto-rebased. Re-implementing from fresh main via dev-lead.

@don-petry don-petry closed this Jun 2, 2026
auto-merge was automatically disabled June 2, 2026 12:16

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: security_and_analysis_unavailable

3 participants