security: add gitleaks secret-scan CI job and expand .gitignore to org baseline

[don-petry]

Summary

• Add SHA-pinned gitleaks/gitleaks-action@ff98106 secret-scan job to ci.yml, scanning full git history on every PR and push to main (per push-protection standard Layer 3)
• Replace minimal .gitignore (.env only) with full petry-projects secrets baseline covering dotenv family, cloud credentials, SSH/TLS/GPG keys, IaC secrets, Kubernetes secrets, package registry credential dotfiles, IDE credential caches, and modern AI tooling config files

Compliance checks addressed

Check	Before	After
secret_scan_ci_job_present	✗ missing	✓ added
gitignore_secrets_block	✗ partial (.env only)	✓ full org baseline

Note: The security_and_analysis_unavailable finding (token lacks admin scope or plan limitation) cannot be resolved via code changes — it requires a human to enable Secret Scanning and Push Protection in GitHub repository settings (Settings → Code security and analysis).

Test plan

• CI build-and-test job passes
• CI secret-scan job runs and passes (no secrets in repo history)
• .gitignore contains .env, *.pem, *.key entries (compliance check satisfied)

Closes #170

Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Added automated secret scanning to the CI/CD pipeline to detect and prevent credential leaks in the repository.
  • Updated repository configuration to protect sensitive files from being accidentally committed.

[coderabbitai]

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 46 minutes and 3 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 46 minutes and 3 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8dbfc041-36ad-42d6-bf8c-0ded99e647e2

📥 Commits

Reviewing files that changed from the base of the PR and between 539b160 and 508c8d9.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

📝 Walkthrough

Walkthrough

The pull request adds GitHub Actions secret scanning via gitleaks and expands the repository's gitignore to comprehensively exclude secret files, credential artifacts, and sensitive configuration across multiple formats and tools.

Changes

Cohort / File(s)	Summary
CI Workflow Secret Scanning .github/workflows/ci.yml	Added secret-scan job that runs gitleaks action to detect secrets in the repository with redaction and verbose output, configured to fail on findings.
Gitignore Secrets Baseline .gitignore	Replaced minimal ignore rules with comprehensive secrets-only baseline covering dotenv variants, cloud credentials, Kubernetes secrets, private keys/certificates, Terraform state, secret manager artifacts, database dumps, package manager credentials, IDE credential files, and generic secret/credential filename patterns.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• The changes directly address the compliance finding in the linked issue by implementing the required secret-scan GitHub Actions job using gitleaks to detect and prevent secrets from being committed, satisfying push-protection security requirements.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main changes: adding a gitleaks secret-scan CI job and expanding .gitignore to organization baseline.
Linked Issues check	✅ Passed	The PR implements the main coding remediation for issue #170 by adding the gitleaks secret-scan CI job and updating .gitignore with security-focused rules.
Out of Scope Changes check	✅ Passed	All changes are directly related to addressing security compliance requirements from issue #170; no out-of-scope modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-170-20260419-2133

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

@don-petry — PR is ready for review.

Summary of changes:

• Added secret-scan job using gitleaks/gitleaks-action@ff98106 (SHA-pinned per ci-standards) to ci.yml
• Replaced the minimal .gitignore with the full petry-projects secrets baseline

One manual step required:
The Secret scan (gitleaks) CI job will fail until a GITLEAKS_LICENSE secret is configured for this repository (or org-wide). gitleaks-action v2.x requires a license key for organization repositories.

• Get a free OSS license at https://gitleaks.io/products.html
• Add it as a repository secret named GITLEAKS_LICENSE in Settings → Secrets and variables → Actions
• Or add it org-wide in the petry-projects org settings

The compliance check secret_scan_ci_job_present will be satisfied once this PR merges (the check looks for gitleaks/gitleaks-action in ci.yml). The job itself requires the license to run.

Note: The root security_and_analysis_unavailable compliance finding (the issue title) cannot be resolved via code — it requires the compliance audit token to have admin scope, or enabling Secret Scanning manually via Settings → Code security and analysis.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.gitignore (2)

141-143: Negations for patterns that are never ignored.

!*.crt, !ca.crt, and !*.cert re-include files that aren't matched by any preceding ignore rule in this file, so these lines are no-ops today. They're harmless but slightly misleading — either add matching *.crt / *.cert ignores above (certs can embed private keys in some formats, but conventionally don't) or drop these negations. Non-blocking.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.gitignore around lines 141 - 143, The negation lines "!*.crt", "!ca.crt",
and "!*.cert" are no-ops because there are no preceding ignore rules that would
match those patterns; either remove these three negation lines to avoid
confusion or add corresponding ignore rules (e.g., "*.crt" and "*.cert" or
"ca.crt" earlier in the file) so the negations make sense; update the .gitignore
by deleting the "!*.crt", "!ca.crt", and "!*.cert" entries or by adding matching
ignore patterns above them.

---

23-38: Minor: redundant .env patterns.

Lines 26 (.env.local) and 27 (.env.*.local) are already fully covered by .env.* on line 24, and .envrc.local on line 37 is covered by .envrc on line 25 only if you treat .envrc as a prefix — it isn't, so .envrc.local on line 37 is actually needed. The two .env.local / .env.*.local entries can be dropped for clarity without changing behavior. Non-blocking.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.gitignore around lines 23 - 38, Remove the redundant .env patterns: drop
the entries ".env.local" and ".env.*.local" since ".env.*" already covers them;
keep ".env.*", ".envrc", and the explicitly needed ".envrc.local" (because
".envrc" is not a prefix match) and preserve the committed templates like
"!.env.example" etc.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 118-126: The gitleaks action block uses the unsupported with: args
input and misses the required GITLEAKS_LICENSE secret for organization repos;
update the job to either (A) switch to running the gitleaks CLI directly (invoke
gitleaks with flags like --redact, --verbose, --exit-code via a run step) or (B)
if keeping gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7,
remove the with: args line and move the desired flags into environment variables
supported by the action, and add GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE
}} under env so organization repos have a license; also remove the unnecessary
permissions scope security-events: write if you are not uploading SARIF results.

---

Nitpick comments:
In @.gitignore:
- Around line 141-143: The negation lines "!*.crt", "!ca.crt", and "!*.cert" are
no-ops because there are no preceding ignore rules that would match those
patterns; either remove these three negation lines to avoid confusion or add
corresponding ignore rules (e.g., "*.crt" and "*.cert" or "ca.crt" earlier in
the file) so the negations make sense; update the .gitignore by deleting the
"!*.crt", "!ca.crt", and "!*.cert" entries or by adding matching ignore patterns
above them.
- Around line 23-38: Remove the redundant .env patterns: drop the entries
".env.local" and ".env.*.local" since ".env.*" already covers them; keep
".env.*", ".envrc", and the explicitly needed ".envrc.local" (because ".envrc"
is not a prefix match) and preserve the committed templates like "!.env.example"
etc.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ad93d805-ebcc-48fd-8614-9ae6c0206bb0

📥 Commits

Reviewing files that changed from the base of the PR and between 92719c9 and 539b160.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .gitignore

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Adds repository-level secret leak prevention by introducing a CI gitleaks scan and adopting the petry-projects secrets-focused .gitignore baseline, aligning the repo with the push-protection compliance standard.

Changes:

• Added a SHA-pinned secret-scan CI job using gitleaks/gitleaks-action with full git history checkout.
• Replaced the minimal .gitignore with an org baseline focused on ignoring common secret/credential files, while retaining repo-specific ignores.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.gitignore	Replaced with an expanded secrets-only baseline plus repo-specific ignore entries.
.github/workflows/ci.yml	Added secret-scan job to run gitleaks on PRs and pushes to main.

[Copilot]

This comment references ci-standards.md#action-pinning-policy, but there doesn’t appear to be a ci-standards.md in this repo. Consider linking to an existing in-repo doc (e.g., AGENTS.md or a security/CI standards file) or removing the reference to avoid a dead link.

Suggested change

	# Pinned to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy).
	# Pinned to a commit SHA per repository guidance in AGENTS.md.