ci: add secret-scan (gitleaks) job for push-protection compliance#115
ci: add secret-scan (gitleaks) job for push-protection compliance#115
Conversation
Adds the required secret-scan job to ci.yml per Layer 3 of the push-protection standard. Satisfies the secret_scan_ci_job_present compliance check (error severity). Key properties: - Full history checkout (fetch-depth: 0) — scans all commits, not just diff - --redact — leaked values are never written to workflow logs - --exit-code 1 — build fails on any finding - Both actions pinned to commit SHAs per Action Pinning Policy Also applied security_and_analysis settings via API (secret scanning, push protection, and Dependabot security updates now enabled at repo level), addressing the security_and_analysis_unavailable warning. Closes #95 Supersedes #106 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 56 minutes and 28 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@don-petry — this PR addresses issue #95 by:
This supersedes PR #106 (same fix, on a stale branch). Remaining items requiring human admin action:
|
|
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a dedicated CI job to run gitleaks secret scanning to satisfy push-protection compliance requirements and fail CI on detected leaks.
Changes:
- Introduces a new
secret-scanjob in CI that checks out full git history and runsgitleaks detect. - Pins the
actions/checkoutandgitleaks/gitleaks-actionactions to commit SHAs. - Configures gitleaks to redact findings and exit non-zero on detections.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| permissions: | ||
| contents: read | ||
| security-events: write | ||
| steps: | ||
| - name: Checkout (full history) | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Run gitleaks | ||
| # Pinned to commit SHA (dereferenced from annotated tag v2). | ||
| # Refresh with: gh api repos/gitleaks/gitleaks-action/git/refs/tags/v2 --jq '.object.sha' | ||
| # then dereference: gh api repos/gitleaks/gitleaks-action/git/tags/<sha> --jq '.object.sha' | ||
| uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2 | ||
| with: | ||
| args: detect --source . --redact --verbose --exit-code 1 | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
security-events: write is granted but the workflow doesn’t upload a SARIF/code-scanning artifact (and the gitleaks invocation doesn’t emit SARIF). Either (a) drop security-events: write to follow least-privilege, or (b) have gitleaks produce a SARIF report and add an explicit upload step so the permission is actually used.
| - name: Checkout (full history) | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
| with: | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
Full-history checkout (fetch-depth: 0) can noticeably increase CI time and bandwidth as the repo grows. If compliance allows, consider running full-history scans on a schedule (or default-branch only) and limiting PR/push scans to the commit range being introduced; otherwise, note in the workflow comment that this is intentionally full-history for compliance to prevent future “optimization” regressions.
| - name: Checkout (full history) | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Checkout | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 |
| # ── Secret scanning (gitleaks) ──────────────────────────────────────────── | ||
| secret-scan: |
There was a problem hiding this comment.
The PR description claims repo-level security_and_analysis settings were enabled via the GitHub API, but those changes are not reviewable/auditable in this PR diff. Consider moving that note to the PR’s comments/runbook (or link to an audit log/change record) and keep the PR description focused on the workflow change, so reviewers can validate everything claimed from the PR contents.
|
Auto-rebase blocked — the base branch contains Please rebase this branch manually: |
Summary
secret-scanjob to.github/workflows/ci.ymlper Layer 3 of the push-protection standard. This satisfies thesecret_scan_ci_job_presentcompliance check (error severity).security_and_analysissettings via the GitHub API: secret scanning, push protection, and Dependabot security updates are now enabled at the repo level. This addresses the root cause of thesecurity_and_analysis_unavailablecompliance warning.Job properties:
fetch-depth: 0) — scans all commits, not just the PR diff--redact— leaked values are never written to workflow logs--exit-code 1— build fails on any findingSupersedes: #106 (same secret-scan job, on a stale branch — that PR can be closed)
Remaining human-action items (cannot be done in code)
The following settings could not be enabled via API (likely plan limitations):
secret_scanning_ai_detection— not returned by the API (may require a paid plan)secret_scanning_non_provider_patterns— returned asdisabledafter our PATCHAn org admin should verify in GitHub Settings → Code security whether these features are available on the current plan and enable them if possible.
Test plan
security_and_analysis_unavailableCloses #95
Generated with Claude Code