security: add gitleaks secret-scan CI job and expand .gitignore to org baseline#214
security: add gitleaks secret-scan CI job and expand .gitignore to org baseline#214don-petry wants to merge 6 commits into
Conversation
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📝 WalkthroughWalkthroughThe pull request adds GitHub Actions secret scanning via gitleaks and expands the repository's gitignore to comprehensively exclude secret files, credential artifacts, and sensitive configuration across multiple formats and tools. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related issues
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@don-petry — PR is ready for review. Summary of changes:
One manual step required:
The compliance check Note: The root |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
.gitignore (2)
141-143: Negations for patterns that are never ignored.
!*.crt,!ca.crt, and!*.certre-include files that aren't matched by any preceding ignore rule in this file, so these lines are no-ops today. They're harmless but slightly misleading — either add matching*.crt/*.certignores above (certs can embed private keys in some formats, but conventionally don't) or drop these negations. Non-blocking.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.gitignore around lines 141 - 143, The negation lines "!*.crt", "!ca.crt", and "!*.cert" are no-ops because there are no preceding ignore rules that would match those patterns; either remove these three negation lines to avoid confusion or add corresponding ignore rules (e.g., "*.crt" and "*.cert" or "ca.crt" earlier in the file) so the negations make sense; update the .gitignore by deleting the "!*.crt", "!ca.crt", and "!*.cert" entries or by adding matching ignore patterns above them.
23-38: Minor: redundant.envpatterns.Lines 26 (
.env.local) and 27 (.env.*.local) are already fully covered by.env.*on line 24, and.envrc.localon line 37 is covered by.envrcon line 25 only if you treat.envrcas a prefix — it isn't, so.envrc.localon line 37 is actually needed. The two.env.local/.env.*.localentries can be dropped for clarity without changing behavior. Non-blocking.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.gitignore around lines 23 - 38, Remove the redundant .env patterns: drop the entries ".env.local" and ".env.*.local" since ".env.*" already covers them; keep ".env.*", ".envrc", and the explicitly needed ".envrc.local" (because ".envrc" is not a prefix match) and preserve the committed templates like "!.env.example" etc.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/ci.yml:
- Around line 118-126: The gitleaks action block uses the unsupported with: args
input and misses the required GITLEAKS_LICENSE secret for organization repos;
update the job to either (A) switch to running the gitleaks CLI directly (invoke
gitleaks with flags like --redact, --verbose, --exit-code via a run step) or (B)
if keeping gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7,
remove the with: args line and move the desired flags into environment variables
supported by the action, and add GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE
}} under env so organization repos have a license; also remove the unnecessary
permissions scope security-events: write if you are not uploading SARIF results.
---
Nitpick comments:
In @.gitignore:
- Around line 141-143: The negation lines "!*.crt", "!ca.crt", and "!*.cert" are
no-ops because there are no preceding ignore rules that would match those
patterns; either remove these three negation lines to avoid confusion or add
corresponding ignore rules (e.g., "*.crt" and "*.cert" or "ca.crt" earlier in
the file) so the negations make sense; update the .gitignore by deleting the
"!*.crt", "!ca.crt", and "!*.cert" entries or by adding matching ignore patterns
above them.
- Around line 23-38: Remove the redundant .env patterns: drop the entries
".env.local" and ".env.*.local" since ".env.*" already covers them; keep
".env.*", ".envrc", and the explicitly needed ".envrc.local" (because ".envrc"
is not a prefix match) and preserve the committed templates like "!.env.example"
etc.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: ad93d805-ebcc-48fd-8614-9ae6c0206bb0
📒 Files selected for processing (2)
.github/workflows/ci.yml.gitignore
There was a problem hiding this comment.
Pull request overview
Adds repository-level secret leak prevention by introducing a CI gitleaks scan and adopting the petry-projects secrets-focused .gitignore baseline, aligning the repo with the push-protection compliance standard.
Changes:
- Added a SHA-pinned
secret-scanCI job usinggitleaks/gitleaks-actionwith full git history checkout. - Replaced the minimal
.gitignorewith an org baseline focused on ignoring common secret/credential files, while retaining repo-specific ignores.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.gitignore |
Replaced with an expanded secrets-only baseline plus repo-specific ignore entries. |
.github/workflows/ci.yml |
Added secret-scan job to run gitleaks on PRs and pushes to main. |
| fetch-depth: 0 | ||
|
|
||
| - name: Run gitleaks | ||
| # Pinned to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy). |
There was a problem hiding this comment.
This comment references ci-standards.md#action-pinning-policy, but there doesn’t appear to be a ci-standards.md in this repo. Consider linking to an existing in-repo doc (e.g., AGENTS.md or a security/CI standards file) or removing the reference to avoid a dead link.
| # Pinned to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy). | |
| # Pinned to a commit SHA per repository guidance in AGENTS.md. |
|
Auto-rebase failed — merge conflict — this branch has conflicts with Please resolve the conflicts and push: |
|
@claude Please address all open review comments on this PR from CodeRabbit and Copilot. |
|
Claude finished @don-petry's task in 1m 38s —— View job Addressing PR Review Comments
Changes made
|
…g baseline - Add SHA-pinned `gitleaks/gitleaks-action@ff98106` secret-scan job to ci.yml scanning full git history on every PR and push to main (per push-protection standard Layer 3 requirements) - Replace minimal .gitignore with full petry-projects secrets baseline covering dotenv, cloud credentials, SSH/TLS keys, IaC secrets, package registry creds, IDE credential caches, and modern AI tooling config files Closes #170 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Remove .env.local and .env.*.local (already covered by .env.*). Remove !*.crt, !ca.crt, !*.cert negations which are no-ops since no preceding rule ignores those patterns (per CodeRabbit review). Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
8e82269 to
157f3ac
Compare
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 3ac8c53d0ec86d26cf388331c53a558709ceb02f
Review mode: triage-approved (single reviewer)
Summary
Confirmation pass on a triage-approved PR. The diff is entirely additive .gitignore content (+390/-1) adopting the petry-projects org secrets baseline — dotenv family, cloud credentials, SSH/TLS/GPG key material, IaC state, secret-manager caches, package-registry credential dotfiles, IDE credential caches, and modern AI-tooling config files. No executable code, no workflow changes in this diff (the secret-scan ci.yml job referenced in the PR description appears to have already landed on main via earlier merges). Triage's low-risk classification is correct.
Linked issue analysis
Closes #170 (push-protection compliance baseline). The .gitignore half of the remediation is satisfied here: the file contains .env, *.pem, and *.key entries (and the rest of the org baseline), which fulfills the gitignore_secrets_block compliance check. The secret_scan_ci_job_present check is satisfied by the ci.yml job already present on main. As the PR author notes, the residual security_and_analysis_unavailable finding is an admin/settings action and cannot be resolved in code.
Findings
- Prior review feedback resolved. CodeRabbit's nitpicks on (a) redundant
.env.local/.env.*.local(already covered by.env.*) and (b) no-op!*.crt/!ca.crt/!*.certnegations were addressed in commit157f3ac; neither pattern appears in the current diff. - Patterns look correct. Negations are placed immediately after the broad pattern they carve out of (per the file's own ordering rule). Public-artifact re-allows (
!*.pub,!public.pem,!*.enc.yaml,!*.sops.yaml,!*.tfvars.example, etc.) are sensible. Inline comments call out known false-positive surfaces (*.pem/*.keyfor TLS fixtures) and point to the right escape hatch (per-file!overrides in per-repo.gitignore). - No security concerns. The change only adds ignore patterns; it cannot expose secrets, only help prevent committing them. The only behavioral risk would be accidentally ignoring a file that the repo currently tracks — but
gitwon't untrack already-tracked files via.gitignorealone, so this is a no-op for existing tracked content. - No new findings introduced by this review.
CI status
All green: CodeQL (actions, javascript-typescript, python) SUCCESS, CodeRabbit SUCCESS, Sonar Quality Gate passed (0 new issues, 0 hotspots). mergeStateStatus is BLOCKED only because reviewDecision is REVIEW_REQUIRED — this review unblocks it.
Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.
|
Review — fix requested (cycle 2/3)The automated review identified the following issues. Please address each one: Findings to fixAutomated review — NEEDS HUMAN REVIEWRisk: LOW SummaryThe .gitignore expansion is a well-structured, secrets-only org baseline with no executable code changes — risk is LOW. However, the PR has an active merge conflict (mergeStateStatus: DIRTY) blocking merge; human intervention is required to resolve it before this PR can land. A prior automated review already approved the content at the previous SHA. Findings
Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7). Reply if you need a human review. Additional tasks
The review cascade will automatically re-review after new commits are pushed. |
Superseded by automated re-review at 96dddd8.
|
Closing due to merge conflict that cannot be auto-rebased. Re-implementing from fresh main via dev-lead. |
Pull request was closed



Summary
gitleaks/gitleaks-action@ff98106secret-scanjob toci.yml, scanning full git history on every PR and push tomain(per push-protection standard Layer 3).gitignore(.envonly) with full petry-projects secrets baseline covering dotenv family, cloud credentials, SSH/TLS/GPG keys, IaC secrets, Kubernetes secrets, package registry credential dotfiles, IDE credential caches, and modern AI tooling config filesCompliance checks addressed
secret_scan_ci_job_presentgitignore_secrets_block.envonly)Test plan
build-and-testjob passessecret-scanjob runs and passes (no secrets in repo history).gitignorecontains.env,*.pem,*.keyentries (compliance check satisfied)Closes #170
Generated with Claude Code
Summary by CodeRabbit