-
Notifications
You must be signed in to change notification settings - Fork 7
feat: add Gitleaks config and CI workflow #22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
burigolucas
merged 14 commits into
redhat-cop:main
from
stevefulme1:feat/gitleaks-configuration
Jul 2, 2026
+136
−25
Merged
Changes from all commits
Commits
Show all changes
14 commits
Select commit
Hold shift + click to select a range
0f9c8a0
Update SECURITY.md with project-specific content
stevefulme1 b714c78
docs: standardize security policy to Ansible community standard
stevefulme1 464b4bc
docs: standardize contributing guide to Ansible community standard
stevefulme1 612ed3a
docs: standardize code of conduct to Ansible community standard
stevefulme1 a294bc5
docs: standardize license to GPL-3.0
stevefulme1 ee83d9e
feat: add Gitleaks configuration and CI workflow
stevefulme1 2bc39fc
fix: resolve 11 gitleaks false positives on README and YAML files
stevefulme1 e359002
fix(ci): remove unsafe pull_request_target from gitleaks workflow
stevefulme1 f246057
fix: address PR review feedback
stevefulme1 dfbfae7
Merge remote-tracking branch 'origin/main' into feat/gitleaks-configu…
stevefulme1 c70cf2f
docs: regenerate network_mgmt README after OVN layer2 merge
stevefulme1 c682c7a
fix: use GITLEAKS_CONFIG env var and add license secret
stevefulme1 3f15ed6
fix: replace gitleaks-action with CLI to avoid license requirement
stevefulme1 254cadf
fix: resolve gitleaks version dynamically
stevefulme1 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| --- | ||
| name: Gitleaks | ||
|
|
||
| on: | ||
| push: | ||
| branches: ["main"] | ||
| pull_request: | ||
| branches: ["main"] | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| gitleaks: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Install Gitleaks | ||
| run: | | ||
| GITLEAKS_VERSION=$(curl -sI https://github.com/gitleaks/gitleaks/releases/latest \ | ||
| | grep -i '^location:' | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+') | ||
| curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION#v}_linux_x64.tar.gz" \ | ||
| | tar xz -C /usr/local/bin gitleaks | ||
|
|
||
| - name: Run Gitleaks | ||
| run: gitleaks detect --config .gitleaks.toml --source . -v | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| # Gitleaks configuration for openshift_virtualization_migration | ||
| # https://github.com/gitleaks/gitleaks | ||
|
|
||
| title = "OpenShift Virtualization Migration Gitleaks Configuration" | ||
|
|
||
| [extend] | ||
| useDefault = true | ||
|
|
||
| # Allowlist paths and patterns that contain placeholder credentials | ||
| # (e.g., "changeme", example domains, template variables) | ||
| [allowlist] | ||
| description = "Global allowlist for placeholder values and template files" | ||
| paths = [ | ||
| '''\.gitleaks\.toml$''', | ||
| '''README\.md$''', | ||
| ] | ||
| regexTarget = "line" | ||
| regexes = [ | ||
| # Placeholder values used in inventory and defaults | ||
| '''changeme''', | ||
| # Jinja2 template variables | ||
| '''\{\{.*\}\}''', | ||
| # Ansible Vault references | ||
| '''!vault''', | ||
| # Example/documentation values | ||
| '''example\.com''', | ||
| '''EXAMPLE''', | ||
| # YAML comments containing credential variable names | ||
| '''^\s*#.*''', | ||
| # HTML bold tags documenting variable names (docsible-generated) | ||
| '''<b>.*</b>''', | ||
| # Multi-line YAML block scalars where value is a Jinja2 template on the next line | ||
| '''[>|][+-]?\s*$''', | ||
| ] | ||
|
|
||
| # Custom rules for Ansible-specific credential patterns | ||
| [[rules]] | ||
| id = "ansible-vault-password-file" | ||
| description = "Ansible vault password file" | ||
| regex = '''vault[_-]?pass(word)?[_-]?file\s*[:=]\s*['"]?([^\s'"]+)''' | ||
| keywords = ["vault"] | ||
| [rules.allowlist] | ||
| regexes = ['''changeme''', '''\{\{.*\}\}'''] | ||
|
|
||
| [[rules]] | ||
| id = "openshift-api-key" | ||
| description = "OpenShift API key or token" | ||
| regex = '''(?i)(openshift[_-]?(?:api[_-]?key|token|password))\s*[:=]\s*['"]?([^\s'"#}{]+)''' | ||
| keywords = ["openshift"] | ||
| [rules.allowlist] | ||
| regexes = ['''changeme''', '''\{\{.*\}\}''', '''example''', '''<b>.*</b>''', '''[>|][+-]?\s*$'''] | ||
| paths = ['''defaults/main\.yml$''', '''inventory\.yml$''', '''README\.md$''', '''tasks/main\.yml$'''] | ||
|
|
||
| [[rules]] | ||
| id = "automation-hub-token" | ||
| description = "Automation Hub token" | ||
| regex = '''(?i)(automation[_-]?hub[_-]?(?:token|password))\s*[:=]\s*['"]?([^\s'"#}{]+)''' | ||
| keywords = ["automation_hub", "automation-hub"] | ||
| [rules.allowlist] | ||
| regexes = ['''changeme''', '''\{\{.*\}\}'''] | ||
| paths = ['''defaults/main\.yml$''', '''inventory\.yml$'''] | ||
|
|
||
| [[rules]] | ||
| id = "container-registry-password" | ||
| description = "Container registry password" | ||
| regex = '''(?i)(container[_-]?password|registry[_-]?password)\s*[:=]\s*['"]?([^\s'"#}{]+)''' | ||
| keywords = ["container_password", "registry_password"] | ||
| [rules.allowlist] | ||
| regexes = ['''changeme''', '''\{\{.*\}\}''', '''<b>.*</b>'''] | ||
| paths = ['''defaults/main\.yml$''', '''inventory\.yml$''', '''README\.md$'''] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.