Add gitleaks secret scanning to CI (#62) #65
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!65
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "62-gitleaks-ci"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes #62.
What lands
.forgejo/workflows/secrets.yml(new) — gitleaks job onpull_requestandpush: branches: [main]. PR runs scope toBASE..HEAD; push runs scope to the full history (backfill + ongoing verification).scripts/ci/security-summary.mjs— extended with agitleaksparser (reads SARIF) and a render path that emits arule | file | line | committable instead of severity buckets. The threshold argument is accepted-but-ignored for gitleaks; the gate is binary..gitleaks.toml(new) — shared by the local pre-commit hook (PR #61) and the CI job. Inherits the upstream default rule pack via[extend] useDefault = true. The[allowlist]block is commented out (gitleaks rejects an empty one) with a template + format-doc for when a real false positive shows up.docs/ci.md— new Secret scanning (gitleaks) section.docs/adr/0011-gitleaks-ci.md(new) + index entry — rationale.Why a separate workflow file, not a job in pr.yml
pr.yml'sconcurrency.groupreferences${{ github.event.pull_request.number }}, which is empty under apushtrigger. Mixing both triggers would either break the concurrency group or require anif: github.event_name == 'pull_request'on every existing job — a per-job footgun. A dedicated file isolates the two-trigger concern. ADR-0011 covers this in detail.Acceptance criteria
ghp_…; CI uses the identical CLI invocation (gitleaks detect --source . --redact --report-format sarif).pull_requestserver-side;--no-verifyon the contributor's side has no effect on this scan.docs/ci.md, ADR-0011, and inline in.gitleaks.tomlitself. Sample format template lives in.gitleaks.tomlas a commented block.Composes with
--no-verify, force-push) the local hook can't catch.scripts/ci/security-summary.mjsrendering pipeline. The gitleaks render path is structurally different (no severity scale) but produces the same Markdown-table style.GITLEAKS_VERSIONfresh under the human-review rule once it starts seeing this workflow.Test plan
### gitleaks (secret scan)heading with "No secrets detected." body.[allowlist]block per the template in.gitleaks.tomland confirm the local hook and CI scan both pick it up from the single file.