Skip to content

ci: add gitleaks secret-scan job (compliance #171)#215

Merged
don-petry merged 5 commits into
mainfrom
claude/issue-171-20260419-2133
May 3, 2026
Merged

ci: add gitleaks secret-scan job (compliance #171)#215
don-petry merged 5 commits into
mainfrom
claude/issue-171-20260419-2133

Conversation

@don-petry

@don-petry don-petry commented Apr 19, 2026

Copy link
Copy Markdown
Collaborator

Summary

What was added

secret-scan:
  name: Secret scan (gitleaks)
  runs-on: ubuntu-latest
  permissions:
    contents: read
    security-events: write
  steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        fetch-depth: 0
    - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

Why this PR over #198

PR #198 had the correct action reference but CI failed because GITLEAKS_LICENSE was not passed in the env: block. gitleaks-action@v2 requires this for organization repos. This PR adds GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} — if the org secret is configured, CI will pass.

If CI still fails on "Secret scan (gitleaks)": the GITLEAKS_LICENSE secret needs to be added at the org or repo level (obtain from gitleaks.io).

Compliance check satisfied

The weekly audit greps for uses: gitleaks/gitleaks-action@ in ci.yml — this PR satisfies that check.

Closes #171

Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Enhanced CI/CD pipeline with automated secret scanning to improve repository security.

Adds the required `secret-scan` job per the org push-protection standard
(standards/push-protection.md#layer-3--ci-secret-scanning-secondary-defense).

The job:
- Checks out full git history (fetch-depth: 0) for complete scan coverage
- Runs gitleaks/gitleaks-action@v2.3.9 pinned to SHA ff98106e4c7b2bc287b24eaf42907196329070c7
- Passes --redact to prevent secrets appearing in logs
- Passes --exit-code 1 to fail the build on any finding
- Passes GITLEAKS_LICENSE from secrets to satisfy the org-repo license requirement
  (prior attempt PR #198 omitted this env var, causing the CI failure)

Resolves the `secret_scan_ci_job_present` compliance finding.

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 19, 2026 21:38
@coderabbitai

coderabbitai Bot commented Apr 19, 2026

Copy link
Copy Markdown

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

Added a new secret-scan job to the CI workflow that performs gitleaks scanning. The job checks out the repository with full history and runs gitleaks with redaction and verbose output, configured to fail on detected secrets using repository secrets and appropriate permissions.

Changes

CI Security Scanning

Layer / File(s) Summary
Workflow Job Configuration
.github/workflows/ci.yml
New secret-scan job added with full repository history checkout, gitleaks detection with --redact --verbose --exit-code 1, and security-events: write permission for reporting findings.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly identifies the main change: adding a gitleaks secret-scan job to CI configuration to address compliance requirement #171.
Linked Issues check ✅ Passed The PR implements the required secret-scan job per issue #171 requirements, using gitleaks-action with proper configuration including fetch-depth: 0, GITLEAKS_LICENSE secret, and appropriate permissions.
Out of Scope Changes check ✅ Passed The changes are limited to adding the secret-scan CI job to .github/workflows/ci.yml as specified in the linked compliance issue, with no unrelated modifications.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-171-20260419-2133

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
Review rate limit: 0/1 reviews remaining, refill in 60 minutes.

Comment @coderabbitai help to get the list of available commands and usage tips.

@don-petry

Copy link
Copy Markdown
Collaborator Author

@don-petry — this PR implements the secret-scan job per the org standard and satisfies the secret_scan_ci_job_present compliance check. However, there is an infrastructure blocker preventing CI from passing.

CI failure: missing GITLEAKS_LICENSE

gitleaks-action@v2 requires a paid GITLEAKS_LICENSE for organization repos. The secret is not configured at the org or repo level:

[petry-projects] is an organization. License key is required.
🛑 missing gitleaks license. Go grab one at gitleaks.io

To unblock

  1. Obtain a GITLEAKS_LICENSE from gitleaks.io (free tier available for open-source)
  2. Add it as an org-level secret: Org settings → Secrets and variables → Actions → New organization secret named GITLEAKS_LICENSE
  3. Re-run the failed "Secret scan (gitleaks)" job — it will pass once the secret is available
  4. Merge this PR

Once merged, the secret_scan_ci_job_present compliance finding on issue #171 will be resolved on the next weekly audit.

Note: PRs #190 and #198 are superseded by this one and can be closed.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new CI job to run Gitleaks secret scanning to satisfy org push-protection compliance requirements and address issue #171.

Changes:

  • Add a secret-scan job to .github/workflows/ci.yml using gitleaks/gitleaks-action with SHA-pinned actions.
  • Configure full-history checkout and run gitleaks detect with redaction and failure on findings.
  • Pass GITLEAKS_LICENSE via workflow env (alongside GITHUB_TOKEN).

Comment thread .github/workflows/ci.yml
Comment on lines +105 to +110
secret-scan:
name: Secret scan (gitleaks)
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write

Copilot AI Apr 19, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On pull_request events from forks, secrets.GITLEAKS_LICENSE will not be available and the GITHUB_TOKEN cannot be granted security-events: write, so this job is likely to fail for fork PRs (the rest of this workflow already has fork-specific handling). Consider adding an if: guard to run this job only on pushes and same-repo PRs, or otherwise skipping/uploading conditionally when the license/token permissions aren’t available.

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/ci.yml
Comment on lines +113 to +120
# Pin to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy).
# Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v4 --jq '.object.sha'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0

- name: Run gitleaks
# Pinned to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy).

Copilot AI Apr 19, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pinning-policy reference points to ci-standards.md#action-pinning-policy, but this repository doesn’t contain ci-standards.md. Update the comment to reference an existing doc/location (e.g., the org standards link in AGENTS.md) or remove it to avoid a dead reference.

Suggested change
# Pin to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy).
# Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v4 --jq '.object.sha'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Run gitleaks
# Pinned to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy).
# Pin to a commit SHA.
# Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v4 --jq '.object.sha'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Run gitleaks
# Pin to a commit SHA.

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/ci.yml
steps:
- name: Checkout (full history)
# Pin to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy).
# Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v4 --jq '.object.sha'

Copilot AI Apr 19, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "Look up current SHA" command references tags/v4, but the workflow is using an action version comment of v6.0.2 (and elsewhere in the repo actions/checkout is annotated as v6). Update the tag in the lookup command (or the version annotation) so maintainers fetch the correct SHA when refreshing pins.

Suggested change
# Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v4 --jq '.object.sha'
# Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v6.0.2 --jq '.object.sha'

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/ci.yml
Comment on lines +113 to +120
# Pin to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy).
# Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v4 --jq '.object.sha'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0

- name: Run gitleaks
# Pinned to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy).

Copilot AI Apr 19, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This pinning-policy comment again references ci-standards.md#action-pinning-policy, which doesn’t exist in this repo. Align the reference with an existing standard/documentation source so future updates don’t dead-end.

Suggested change
# Pin to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy).
# Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v4 --jq '.object.sha'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Run gitleaks
# Pinned to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy).
# Pin to a full commit SHA per GitHub Actions security hardening guidance:
# https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions
# Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v4 --jq '.object.sha'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Run gitleaks
# Pinned to a full commit SHA per GitHub Actions security hardening guidance:
# https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions

Copilot uses AI. Check for mistakes.
@sonarqubecloud

sonarqubecloud Bot commented May 3, 2026

Copy link
Copy Markdown

@don-petry don-petry merged commit 0979f9d into main May 3, 2026
23 of 25 checks passed
@don-petry don-petry deleted the claude/issue-171-20260419-2133 branch May 3, 2026 16:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: secret_scan_ci_job_present

2 participants