Skip to content

ci: add secret-scan (gitleaks) job to satisfy push-protection compliance#106

Closed
don-petry wants to merge 17 commits into
mainfrom
claude/issue-95-20260414-1303
Closed

ci: add secret-scan (gitleaks) job to satisfy push-protection compliance#106
don-petry wants to merge 17 commits into
mainfrom
claude/issue-95-20260414-1303

Conversation

@don-petry

Copy link
Copy Markdown
Contributor

Summary

  • Adds the required secret-scan job to ci.yml per the push-protection standard
  • Addresses the secret_scan_ci_job_present compliance check (severity: error)
  • Uses full-history checkout (fetch-depth: 0), --redact to protect logs, and --exit-code 1 to fail on any finding
  • Both actions pinned to commit SHAs per Action Pinning Policy

Notes on security_and_analysis_unavailable

The compliance audit reports this because the audit token lacks admin scope to read the repo's security_and_analysis settings. Those settings (secret scanning, push protection, Dependabot security updates) need to be enabled by a repo/org admin via the GitHub UI or API. The code-side contribution we can make is ensuring the CI layer (gitleaks) is in place — which this PR delivers.

Closes #95

Generated with Claude Code

Adds the required gitleaks secret-scanning job per the push-protection
standard (standards/push-protection.md#layer-3--ci-secret-scanning-secondary-defense).
Addresses the secret_scan_ci_job_present compliance check.

- Full history checkout (fetch-depth: 0) so all commits are scanned
- --redact flag ensures secrets are never written to workflow logs
- --exit-code 1 fails the build on any finding
- Actions pinned to SHAs per Action Pinning Policy

Closes #95

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 14, 2026 13:05
@coderabbitai

coderabbitai Bot commented Apr 14, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 54 minutes and 21 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c59ac669-64b0-4e9c-86a0-3919f204db63

📥 Commits

Reviewing files that changed from the base of the PR and between d8da2d2 and abb58a9.

📒 Files selected for processing (3)
  • .github/workflows/ci.yml
  • .gitignore
  • .gitleaks.toml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-95-20260414-1303

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@don-petry

Copy link
Copy Markdown
Contributor Author

@don-petry This PR adds the required secret-scan (gitleaks) job to ci.yml to address the push-protection compliance finding. Please review and merge when CI is green.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a CI “secondary defense” secret-scanning layer by introducing a dedicated secret-scan job (Gitleaks) into the main CI workflow, aligning the repo with the push-protection standard and addressing the secret_scan_ci_job_present compliance check.

Changes:

  • Adds a new secret-scan job to .github/workflows/ci.yml that runs Gitleaks and fails the workflow on findings.
  • Uses full-history checkout (fetch-depth: 0) and passes --redact to reduce risk of secret exposure in logs.
  • Pins both actions/checkout and gitleaks/gitleaks-action to specific commit SHAs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@don-petry

don-petry commented Apr 16, 2026

Copy link
Copy Markdown
Contributor Author
Outdated review (superseded by re-review at 8f633149a01a1acef2365b0ff1ccc40e1ccda2d2) — click to expand.

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

  • [major] .github/workflows/ci.ymlgitleaks-action v2 (SHA ff98106e4c7b2bc287b24eaf42907196329070c7) does NOT accept an args input. Runner logs show: ##[warning]Unexpected input(s) 'args', valid inputs are ['']. This means --redact, --verbose, and --exit-code 1 are all silently ignored. The PR description claims the --redact flag protects logs and --exit-code 1 fails the build on findings — neither claim is currently true. Fix: either switch to a version of the action that supports these flags, invoke the gitleaks binary directly, or use gitleaks-action v1 which accepts args differently.

  • [major] .github/workflows/ci.yml — The "Secret scan (gitleaks)" check fails with 🛑 missing gitleaks license. Go grab one at gitleaks.io and store it as a GitHub Secret named GITLEAKS_LICENSE. gitleaks-action v2 requires a commercial license for GitHub organizations. Until a GITLEAKS_LICENSE secret is added, this job will always fail — the action never scans anything. Options: (1) purchase a license and add GITLEAKS_LICENSE secret; (2) replace with the self-hosted gitleaks binary (free) invoked from a shell step; (3) use an alternative like trufflehog.

  • [minor] .github/workflows/ci.ymlgitleaks-action v2 phones home to gitleaks.io for license validation on every run, extending the supply-chain trust boundary with a runtime dependency on a third-party licensing service. Consider replacing with a direct invocation of the gitleaks OSS binary (no phone-home, MIT-licensed).

  • [minor] .github/workflows/ci.yml — Job grants security-events: write but the current invocation does not upload SARIF (no upload step; the args input is ignored so no SARIF would be produced regardless). Drop security-events: write until SARIF upload is actually wired up.

Additional tasks

  1. Resolve all unresolved review thread comments from other reviewers
  2. Ensure all CI checks pass after your changes
  3. Rebase on main if the branch is behind
  4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

don-petry added a commit that referenced this pull request Apr 18, 2026
Adds the required secret-scan job to ci.yml per Layer 3 of the
push-protection standard. Satisfies the secret_scan_ci_job_present
compliance check (error severity).

Key properties:
- Full history checkout (fetch-depth: 0) — scans all commits, not just diff
- --redact — leaked values are never written to workflow logs
- --exit-code 1 — build fails on any finding
- Both actions pinned to commit SHAs per Action Pinning Policy

Also applied security_and_analysis settings via API (secret scanning,
push protection, and Dependabot security updates now enabled at
repo level), addressing the security_and_analysis_unavailable warning.

Closes #95
Supersedes #106

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
@github-actions

Copy link
Copy Markdown
Contributor

Auto-rebase blocked — the base branch contains .github/workflows/ changes that require the workflows permission to merge into this branch, but the auto-rebase workflow's token does not have that permission.

Please rebase this branch manually:

git fetch origin
git rebase origin/main
git push --force-with-lease

The gitleaks/gitleaks-action requires a paid license for GitHub org repos.
Switch to direct CLI install via wget + sha256 verification instead.
@don-petry

Copy link
Copy Markdown
Contributor Author

CI fix: replaced gitleaks/gitleaks-action with direct CLI install

The Secret scan (gitleaks) job was failing with:

[petry-projects] is an organization. License key is required.

gitleaks/gitleaks-action requires a paid license for GitHub org repos. This commit replaces it with a direct CLI install approach that:

  • Downloads gitleaks v8.30.1 binary via wget
  • Verifies the download with sha256sum
  • Runs gitleaks detect directly (no license needed)

Also removed the now-unnecessary security-events: write permission from the job.

@sonarqubecloud

Copy link
Copy Markdown

❌ The last analysis has failed.

See analysis details on SonarQube Cloud

@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
1 Security Hotspot
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@don-petry don-petry requested a review from a team as a code owner May 19, 2026 05:08
@don-petry

Copy link
Copy Markdown
Contributor Author

@dev-lead - please fix this PR

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (applied)

Changes committed and pushed.

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (applied)

Changes committed and pushed.

@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@donpetry-bot

Copy link
Copy Markdown
Contributor

Review — fix requested (cycle 2/3)

The automated review identified the following issues. Please address each one:

Findings to fix

Automated review — NEEDS HUMAN REVIEW

Risk: LOW
Reviewed commit: abb58a9a32e3c82c482f8b60241b0cb903467a73
Cascade: triage → audit (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7)

Summary

PR adds a gitleaks secret-scanning job with strong hygiene — least-privilege permissions, SHA-pinned actions, HTTPS download with SHA256 verification, --redact, --exit-code 1. Verified against ground truth: actions/checkout@de0fac2 IS a legitimate v6.0.2 release (published 2026-01-09 — deep review's 'no v6 exists' claim was incorrect), the gitleaks SHA256 matches the official upstream checksums.txt exactly, and no SonarQube check actually exists on the head SHA (CodeQL/CodeRabbit/Analyze all SUCCESS — the SonarCloud Quality Gate finding was hallucinated by the deep review). Escalation required only because the branch is CONFLICTING with main (mergeStateStatus=DIRTY) and so cannot merge in its current state; the security posture itself is sound.

Findings

  • MAJOR: Branch is CONFLICTING with main (mergeable=CONFLICTING, mergeStateStatus=DIRTY). Since the conflict is in .github/workflows/ci.yml, the auto-rebase bot lacks the 'workflows' permission and the author must rebase manually before this PR can land. Not a security issue, but a merge gate.
  • MINOR: The new .gitleaks.toml unconditionally allowlists the entire _bmad/ directory tree. Any secret accidentally committed under that path will be silently ignored by the new scanner. Add a brief rationale comment in .gitleaks.toml and spot-check that no real credentials exist under _bmad/ before relying on this exemption. (.gitleaks.toml:6)
  • INFO: .gitignore now contains five identical '.dev-lead/' entries (three pre-existing plus two newly added on lines 38-39). Harmless but should be collapsed to one. (.gitignore:38)
  • INFO: Verified: actions/checkout SHA de0fac2e4500dabe0009e67214ff5f5447ce83dd resolves to the legitimate v6.0.2 release tag (published 2026-01-09). The pin is trustworthy; the '# v6.0.2' annotation is accurate. (.github/workflows/ci.yml:100)
  • INFO: Verified: gitleaks v8.30.1 linux_x64 SHA256 (551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb) matches the official upstream gitleaks_8.30.1_checksums.txt exactly. Supply-chain integrity for the binary is sound. (.github/workflows/ci.yml)

Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7). Reply if you need a human review.

Additional tasks

  1. Resolve all unresolved review thread comments from other reviewers
  2. Ensure all CI checks pass after your changes
  3. Rebase on the target branch if behind
  4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Closing due to merge conflict that cannot be auto-rebased. Re-implementing from fresh main via dev-lead.

@don-petry don-petry closed this Jun 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: security_and_analysis_unavailable

3 participants