ci: add gitleaks secret-scan job (fixes #171)#240
Conversation
Adds the required `secret-scan` job to `ci.yml` per the org push-protection standard (Layer 3 — CI Secret Scanning). The job: - Checks out the full git history (fetch-depth: 0) for a complete scan - Runs gitleaks-action v2.3.9 (SHA-pinned, verified via gh api) - Passes --redact so leaked values are never written to logs - Fails the build (--exit-code 1) on any finding - Has security-events: write permission for SARIF upload Closes #171 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 0/1 reviews remaining, refill in 42 minutes and 1 second.Comment |
|
|
@don-petry — CI is green (Secret scan passed ✓). Please review and merge when ready. Note: PRs #190, #198, and #215 are superseded by this PR and can be closed. |
There was a problem hiding this comment.
Pull request overview
This PR updates the main CI workflow to add the required Gitleaks-based secret scanning job so the repository meets the organization’s push-protection compliance requirement from issue #171.
Changes:
- Adds a new
secret-scanjob to.github/workflows/ci.yml. - Checks out full git history so Gitleaks can scan the repository history rather than only the current checkout.
- Runs the SHA-pinned
gitleaks/gitleaks-actionwith redaction enabled and a non-zero exit code on findings.
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} |



Summary
secret-scanjob to.github/workflows/ci.ymlper the org push-protection standard (Layer 3 — CI Secret Scanning)fetch-depth: 0), runsgitleaks-action@v2.3.9(SHA-pinned), with--redactand--exit-code 1ff98106e4c7b2bc287b24eaf42907196329070c7← confirmed viagh api repos/gitleaks/gitleaks-action/git/refs/tags/v2.3.9Closes #171
Self-review checklist
actions/checkout)de0fac2e4...— matches existing ci.ymlgitleaks/gitleaks-action@v2.3.9)ff98106e4...— verified viagh apifetch-depth: 0(full history scan)--redact(no secrets in logs)args)--exit-code 1(fails build on finding)args)GITHUB_TOKENenv varGITLEAKS_LICENSEenv varsecrets.GITLEAKS_LICENSE)security-events: writepermissionuses: gitleaks/gitleaks-action@)Notes on previous PRs
PRs #190, #198, and #215 are superseded by this PR and can be closed.
Generated with Claude Code