Conversation
Adds the required secret-scan job per the push-protection standard (standards/push-protection.md#required-ci-job). Scans full git history on every PR and push to main with gitleaks, pinned to SHA. Closes #171 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 45 minutes and 45 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
gitleaks-action v2 requires a paid GITLEAKS_LICENSE for org repos. Switch to installing and running the gitleaks CLI (open-source, no license needed) directly — same full-history scan with --redact and --exit-code 1 as the standard requires. Co-authored-by: don-petry <don-petry@users.noreply.github.com>
|
There was a problem hiding this comment.
Pull request overview
Adds a required secret-scan CI job to bring the repository into compliance with the push-protection standard by running gitleaks on PRs and pushes to main.
Changes:
- Introduces a new
secret-scanjob that checks out full git history and runsgitleaks detectwith--redactand a failing exit code on findings.
| contents: read | ||
| steps: | ||
| - name: Checkout (full history) | ||
| # Pin to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy). |
There was a problem hiding this comment.
The inline reference to ci-standards.md#action-pinning-policy appears to be a dead link in this repo (no ci-standards.md at the repository root). Consider updating this comment to point at an existing doc (e.g., the org standard) or remove the reference to avoid misleading future updates.
| # Pin to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy). | |
| # Pin this action to a full commit SHA. |
|
All CI checks are passing (or pre-existing). The secret-scan job is green. @don-petry — ready for your review and merge. |
don-petry
left a comment
don-petry
left a comment
There was a problem hiding this comment.
Automated review — NEEDS HUMAN REVIEW
Risk: HIGH
Reviewed commit: 00414687af5f3401fba3364b1cf5249de4d32f63
Cascade: triage → audit (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)
Summary
SonarCloud Quality Gate is FAILING with 1 open Security Hotspot and the PR is merge-blocked; this alone warrants escalation. The underlying defect is a real supply-chain weakness: the gitleaks install step fetches the 'latest' release dynamically over curl and pipes the tarball to tar with no version pin and no checksum verification. Running unpinned unverified binaries inside a security-scanning job is an unacceptable posture and must be fixed before merge.
Findings
Critical
- [critical]
.github/workflows/ci.yml— SonarCloud Code Analysis check is FAILING with 1 Security Hotspot (confirmed by sonarqubecloud comment 'Quality Gate failed - 1 Security Hotspot').mergeStateStatusisBLOCKED. Resolve or explicitly disposition the hotspot in SonarCloud before merge — do not bypass.
Major
- [major]
.github/workflows/ci.yml:117— Install step resolves gitleakslatestat runtime via the GitHub API and installs the binary with no integrity check:curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep tag_name ...thencurl -sSfL <release tarball> | tar -xz -C /usr/local/bin gitleaks. There is no version pin, no SHA256 verification against the published checksums file, and the API call is unauthenticated (subject to rate limiting and upstream tampering risk). Pin to an explicit version (e.g.v8.27.2), download the matching checksums file, verifysha256sum -cbefore extracting, and write the binary to a tempdir owned by the runner user. Running an unverified third-party binary inside a job labelledsecret-scanis especially ironic and is almost certainly the Security Hotspot SonarCloud is flagging.
Minor
- [minor]
.github/workflows/ci.yml:118— Fragile version parsing:grep "tag_name" | cut -d\" -f4 | sed s/v//silently returns an empty string if the API schema changes or the response is HTML (e.g. rate-limit error page). Worth replacing withjq -r .tag_nameand an explicit non-empty check.
Info
- [info]
.github/workflows/ci.yml:108— The helper-lookup commentgh api repos/actions/checkout/git/refs/tags/v4is stale relative to the pinned# v6.0.2SHA. Worth correcting the example command to reference v6 for future maintainers. - [info]
.github/workflows/ci.yml— Positive observations: workflow is triggered bypull_request(notpull_request_target), so fork PRs run with a read-only ephemeral token and no org secrets. The secret-scan job declarespermissions: contents: read. Top-levelpermissions: {}is set. These mitigations materially lower the blast radius of the unverified-binary issue but do not eliminate it on push-to-main runs.
CI status
SonarCloud Quality Gate FAILING — 1 Security Hotspot open. mergeStateStatus: BLOCKED.
Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.
Summary
secret-scanjob toci.ymlper the push-protection standardfetch-depth: 0) on every PR and push tomain--redactto prevent leaked values from appearing in logs--exit-code 1) on any findingCloses #171
Generated with Claude Code