feat: add Gitleaks config and CI workflow#22
Conversation
|
@luizfao @jeffcpullen Would you be able to review the content of this PR? |
|
Not an expert it GitHub actions or Gitleaks, but it looks like what I would expect to see. I appreciate the carve out on specific files with specific criteria "changeme" password placeholders. Going to let this run to review the output. |
|
Ok, the run failed with 11 false positives. 10 of the 11 were looking at README.md files that do not contain secrets, but instead are documenting variables. For example, this line triggered Gitleaks. The last one triggered the 'create_mf_aap_token_openshift_api_key' variable becuase it uses a multi-line YAML format. |
|
@jeffcpullen Thanks for running it and flagging those! I've pushed a fix ( Changes to
Verified locally: |
Adds .gitleaks.toml with custom rules for Ansible-specific credential patterns (OpenShift API keys, Automation Hub tokens, container registry passwords) and allowlists for placeholder values and Jinja2 templates. Adds a GitHub Actions workflow to run Gitleaks on pushes and PRs. Resolves: MFG-376 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add allowlists for docsible-generated README.md variable documentation (HTML bold tags), multi-line YAML block scalars (>- / |) where values are Jinja2 templates on the following line, and task files that reference credential variable names without containing actual secrets. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove pull_request_target trigger to prevent untrusted PR code from running with write permissions. Remove conditional fork-detection logic and explicit SHA checkout that are no longer needed.
stevefulme1
force-pushed
the
feat/gitleaks-configuration
branch
from
deaa285 to
e359002
Compare
burigolucas
left a comment
burigolucas
left a comment
There was a problem hiding this comment.
The new gitleaks workflow add two changes to the current secret scanning in the pre-commit and CI workflows:
- It performs a full git history scanning not done in the other workflows
- Uses a customization to the gitleaks config that extends the default configuration
The advantage of adding this workflow is the clear separation of concerns. This new workflow will provide secret scanning to all PRs (internal and from forks) without the need of manual approving as in the case of the CI workflow.
We should then consider whether we need to use the same gitleaks configuration to the other workflows as well.
| pull_request: | ||
| branches: ["main"] | ||
| workflow_dispatch: | ||
|
|
There was a problem hiding this comment.
Add explicit permissions (best practice):
| permissions: | |
| contents: read | |
| pull-requests: read | |
There was a problem hiding this comment.
Added explicit permissions block.
| fetch-depth: 0 | ||
|
|
||
| - name: Run Gitleaks | ||
| uses: gitleaks/gitleaks-action@v2 |
There was a problem hiding this comment.
| uses: gitleaks/gitleaks-action@v2 | |
| uses: gitleaks/gitleaks-action@v3 |
- Revert CODE_OF_CONDUCT.md, CONTRIBUTING.md to main (handled in PR redhat-cop#31) - Remove COPYING and SECURITY.md (handled in PR redhat-cop#31) - Add explicit permissions block to gitleaks workflow - Bump gitleaks-action from v2 to v3
4 participants
Summary
.gitleaks.tomlwith default rules extended by custom Ansible-specific credential detection patterns (OpenShift API keys, Automation Hub tokens, container registry passwords)changeme), Jinja2 template variables ({{ }}), Ansible Vault references, example domains, and YAML commentsdefaults/main.ymlandinventory.ymlwhere variable declarations use block scalar indicators.github/workflows/gitleaks.ymlGitHub Actions workflow to run Gitleaks on pushes to main and all PRs.pre-commit-config.yamlRelated
Test plan
gitleaks detect --config .gitleaks.toml --no-gitreports no false positives on the current codebase🤖 Generated with Claude Code