ci: add gitleaks secret-scan job (compliance #171)#198
ci: add gitleaks secret-scan job (compliance #171)#198
Conversation
Adds the required `secret-scan` job to `ci.yml` per the org push-protection standard (standards/push-protection.md#required-ci-job). The job uses `gitleaks/gitleaks-action@v2.3.9` (SHA-pinned per the Action Pinning Policy) with full git history checkout (`fetch-depth: 0`) and `--redact` to avoid logging secret values. Closes #171 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 45 minutes and 52 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a mandatory secret-scanning CI job using Gitleaks to satisfy org push-protection/compliance requirements and fail builds on detected secrets.
Changes:
- Adds a new
secret-scanjob toci.ymlrunninggitleaks/gitleaks-actionwith full-history checkout. - Pins third-party GitHub Actions to SHAs per the action pinning policy.
- Configures Gitleaks to redact findings and return a failing exit code on detections.
|
Adds the required `secret-scan` job per the org push-protection standard (standards/push-protection.md#layer-3--ci-secret-scanning-secondary-defense). The job: - Checks out full git history (fetch-depth: 0) for complete scan coverage - Runs gitleaks/gitleaks-action@v2.3.9 pinned to SHA ff98106e4c7b2bc287b24eaf42907196329070c7 - Passes --redact to prevent secrets appearing in logs - Passes --exit-code 1 to fail the build on any finding - Passes GITLEAKS_LICENSE from secrets to satisfy the org-repo license requirement (prior attempt PR #198 omitted this env var, causing the CI failure) Resolves the `secret_scan_ci_job_present` compliance finding. Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Summary
secret-scanjob to.github/workflows/ci.ymlper the org push-protection standard (standards/push-protection.md#required-ci-job)gitleaks/gitleaks-action@v2.3.9(SHA-pinned toff98106e4c7b2bc287b24eaf42907196329070c7per the Action Pinning Policy)fetch-depth: 0) so every commit is scanned, not just the PR diff--redactflag prevents leaked values from appearing in workflow logs--exit-code 1fails the build on any findingWhy this PR
The weekly compliance audit flags
secret_scan_ci_job_presentbecauseci.ymllacked agitleaksjob. Previous fix in PR #190 was never merged; this is a clean implementation on the new branch.Test plan
secret-scanjob passes on this PRsecret_scan_ci_job_presentafter mergeCloses #171
Generated with Claude Code