Add gitleaks secret scanning to CI #62
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#62
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Follow-up to #39 / PR #61. The local
pre-commithook scans staged changes for secrets via gitleaks, but the lefthook layer is bypassable:git commit --no-verifyskips the hook entirely.A server-side scan in CI is the safety net for all three.
Scope
gitleaksjob to.forgejo/workflows/pr.ymlthat scans the PR diff (and the full default-branch history onpush: branches: [main]runs, for a one-time backfill check).gitleaks detect --source . --redact --report-format sarif --report-path gitleaks.sarifso the output is uploadable.high|medium|lowknob like the npm-audit / Trivy / OSV jobs need.$GITHUB_STEP_SUMMARYviascripts/ci/security-summary.mjs(or extend it) so the format matches the other security scans landed in PR #14..gitleaks.tomlor commit-message footer) for when a finding is a known-good test fixture, so a single false positive doesn't permanently block the PR.Acceptance criteria
--no-verifywas used locally — i.e. it scans the actual commits being merged, not the local hook's pass/fail.Out of scope: rotating any historical secrets surfaced by the backfill scan (separate ticket if any turn up). Out of scope: removing the local pre-commit hook — local + CI are complementary, not redundant.
Part of epic #2.