Skip to content

ci: add gitleaks secret-scan job (fixes #171)#240

Closed
don-petry wants to merge 1 commit into
mainfrom
claude/issue-171-20260503-1513
Closed

ci: add gitleaks secret-scan job (fixes #171)#240
don-petry wants to merge 1 commit into
mainfrom
claude/issue-171-20260503-1513

Conversation

@don-petry

Copy link
Copy Markdown
Collaborator

Summary

  • Adds the required secret-scan job to .github/workflows/ci.yml per the org push-protection standard (Layer 3 — CI Secret Scanning)
  • Job checks out full git history (fetch-depth: 0), runs gitleaks-action@v2.3.9 (SHA-pinned), with --redact and --exit-code 1
  • SHA verified: ff98106e4c7b2bc287b24eaf42907196329070c7 ← confirmed via gh api repos/gitleaks/gitleaks-action/git/refs/tags/v2.3.9

Closes #171

Self-review checklist

Check Result
SHA pinning (actions/checkout) de0fac2e4... — matches existing ci.yml
SHA pinning (gitleaks/gitleaks-action@v2.3.9) ff98106e4... — verified via gh api
fetch-depth: 0 (full history scan) Present
--redact (no secrets in logs) Present (via args)
--exit-code 1 (fails build on finding) Present (via args)
GITHUB_TOKEN env var Present
GITLEAKS_LICENSE env var Present (references secrets.GITLEAKS_LICENSE)
security-events: write permission Present (for SARIF upload)
Compliance regex match (uses: gitleaks/gitleaks-action@) Matches

Notes on previous PRs

PRs #190, #198, and #215 are superseded by this PR and can be closed.

Generated with Claude Code

Adds the required `secret-scan` job to `ci.yml` per the org push-protection
standard (Layer 3 — CI Secret Scanning). The job:
- Checks out the full git history (fetch-depth: 0) for a complete scan
- Runs gitleaks-action v2.3.9 (SHA-pinned, verified via gh api)
- Passes --redact so leaked values are never written to logs
- Fails the build (--exit-code 1) on any finding
- Has security-events: write permission for SARIF upload

Closes #171

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 3, 2026 15:15
@coderabbitai

coderabbitai Bot commented May 3, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 42 minutes and 1 second before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e2f3f644-c847-4ec0-9a52-8643d179bd30

📥 Commits

Reviewing files that changed from the base of the PR and between 56ee75a and dac419d.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-171-20260503-1513

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
Review rate limit: 0/1 reviews remaining, refill in 42 minutes and 1 second.

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud

sonarqubecloud Bot commented May 3, 2026

Copy link
Copy Markdown

@don-petry

Copy link
Copy Markdown
Collaborator Author

@don-petry — CI is green (Secret scan passed ✓). Please review and merge when ready.

Note: PRs #190, #198, and #215 are superseded by this PR and can be closed.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the main CI workflow to add the required Gitleaks-based secret scanning job so the repository meets the organization’s push-protection compliance requirement from issue #171.

Changes:

  • Adds a new secret-scan job to .github/workflows/ci.yml.
  • Checks out full git history so Gitleaks can scan the repository history rather than only the current checkout.
  • Runs the SHA-pinned gitleaks/gitleaks-action with redaction enabled and a non-zero exit code on findings.

Comment thread .github/workflows/ci.yml
Comment on lines +124 to +126
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
@don-petry

Copy link
Copy Markdown
Collaborator Author

Closing — created during dedup testing. Canonical PR for issue #171 is #215.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: secret_scan_ci_job_present

2 participants