ci: add gitleaks secret-scan job (gitleaks-action v2.3.9)#119
ci: add gitleaks secret-scan job (gitleaks-action v2.3.9)#119
Conversation
Uses gitleaks/gitleaks-action@v2.3.9 (pinned to SHA) instead of the direct binary install from PR #107. The compliance audit (pp_check_secret_scan_ci_job) requires `uses: gitleaks/gitleaks-action@` in ci.yml — a binary install does not satisfy the check. Key decisions: - Switched from direct binary install to gitleaks/gitleaks-action@v2.3.9 (SHA ff98106e4c7b2bc287b24eaf42907196329070c7) to satisfy the compliance audit regex - Added GITLEAKS_LICENSE env var (free key required for org repos per gitleaks-action docs; set GITLEAKS_LICENSE as an org or repo secret) - fetch-depth: 0 ensures full git history is scanned - .gitleaksignore suppresses 7 confirmed false-positive findings in commit 865de69 (documentation paths containing "api-key" substring) Closes #96 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 55 minutes and 18 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a GitHub Actions “secret-scan” job using gitleaks/gitleaks-action@v2.3.9 (SHA pinned) and introduces a .gitleaksignore file to suppress confirmed false positives so the new scan can run cleanly.
Changes:
- Adds
.gitleaksignoreentries for 7 reviewed false-positive findings. - Adds a
secret-scanjob to.github/workflows/ci.ymlusinggitleaks/gitleaks-action(SHA pinned) and full-history checkout.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .gitleaksignore | Adds documented suppression fingerprints for known false positives. |
| .github/workflows/ci.yml | Adds a new secret-scan job using the gitleaks GitHub Action. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Refresh with: gh api repos/gitleaks/gitleaks-action/git/refs/tags/v2.3.9 --jq '.object.sha' | ||
| uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9 | ||
| with: | ||
| args: detect --source . --redact --verbose --exit-code 1 |
There was a problem hiding this comment.
Overriding args may disable the action’s default SARIF/report behavior (depending on the action’s defaults), which would make security-events: write ineffective and prevent Code Scanning results from being published. Consider explicitly adding SARIF output args (for example, setting a report format/path supported by gitleaks-action) so findings are uploaded as code-scanning alerts in addition to failing the job.
| args: detect --source . --redact --verbose --exit-code 1 | |
| args: detect --source . --redact --verbose --exit-code 1 --report-format sarif --report-path gitleaks.sarif |
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} |
There was a problem hiding this comment.
As written, PRs from forks (or any context where GITLEAKS_LICENSE isn’t available) are likely to fail the workflow outright if the action hard-requires the license in org repos. To keep CI usable for external contributors while preserving coverage for trusted events, consider guarding the job/step with an if: condition (e.g., only run when the secret is present or when the PR comes from the same repo) or splitting behavior by event type (run on push/trusted PRs, skip on forked PRs).
|
Auto-rebase blocked — the base branch contains Please rebase this branch manually: |
Summary
secret-scanjob toci.ymlusinggitleaks/gitleaks-action@v2.3.9(SHA-pinned per the Action Pinning Policy).gitleaksignoreto suppress 7 confirmed false-positive findings in commit865de69b(documentation file paths containing the substringapi-key)Why this supersedes PR #107
PR #107 (still open) used direct binary install of gitleaks. The compliance audit check (
pp_check_secret_scan_ci_job) regex specifically looks foruses: gitleaks/gitleaks-action@— a binary install does not satisfy it. This PR uses the action.Action pinning
gitleaks/gitleaks-action:ff98106e4c7b2bc287b24eaf42907196329070c7(tagv2.3.9, verified viagh api repos/gitleaks/gitleaks-action/git/refs/tags/v2.3.9)actions/checkout:34e114876b0b11c390a56381ad16ebd13914f8d5(tagv4, same SHA used throughoutci.yml)Note on GITLEAKS_LICENSE
gitleaks-actionv2 requires a freeGITLEAKS_LICENSEkey for repos in a GitHub organization. Set this as an org or repo secret namedGITLEAKS_LICENSE(obtain one at gitleaks.io). Without it the CI job will fail with a license error.Closes #96
Generated with Claude Code