Skip to content

feat: add Gitleaks config and CI workflow#22

Merged
burigolucas merged 14 commits into
redhat-cop:mainfrom
stevefulme1:feat/gitleaks-configuration
Jul 2, 2026
Merged

feat: add Gitleaks config and CI workflow#22
burigolucas merged 14 commits into
redhat-cop:mainfrom
stevefulme1:feat/gitleaks-configuration

Conversation

@stevefulme1

Copy link
Copy Markdown
Contributor

Summary

  • Adds .gitleaks.toml with default rules extended by custom Ansible-specific credential detection patterns (OpenShift API keys, Automation Hub tokens, container registry passwords)
  • Configures allowlists for placeholder values (changeme), Jinja2 template variables ({{ }}), Ansible Vault references, example domains, and YAML comments
  • Adds path-based allowlists for defaults/main.yml and inventory.yml where variable declarations use block scalar indicators
  • Adds .github/workflows/gitleaks.yml GitHub Actions workflow to run Gitleaks on pushes to main and all PRs
  • Complements the existing Gitleaks pre-commit hook in .pre-commit-config.yaml

Related

  • Resolves: MFG-376

Test plan

  • Verify gitleaks detect --config .gitleaks.toml --no-git reports no false positives on the current codebase
  • Verify the GitHub Actions workflow triggers on PR creation
  • Test that a commit containing a real secret (e.g., a test API key) is detected and flagged
  • Confirm pre-commit hook still works with the new config file

🤖 Generated with Claude Code

@sabre1041

Copy link
Copy Markdown
Contributor

@luizfao @jeffcpullen Would you be able to review the content of this PR?

@jeffcpullen

jeffcpullen commented Apr 14, 2026

Copy link
Copy Markdown

Not an expert it GitHub actions or Gitleaks, but it looks like what I would expect to see. I appreciate the carve out on specific files with specific criteria "changeme" password placeholders. Going to let this run to review the output.

@jeffcpullen

Copy link
Copy Markdown

Ok, the run failed with 11 false positives.

10 of the 11 were looking at README.md files that do not contain secrets, but instead are documenting variables. For example, this line triggered Gitleaks.

<b>vm_ssh_openshift_api_key:</b> OpenShift API Key

The last one triggered the 'create_mf_aap_token_openshift_api_key' variable becuase it uses a multi-line YAML format.

    - name: Set fact with Service Account API key
      ansible.builtin.set_fact:
        create_mf_aap_token_openshift_api_key: >-
          "{{ create_mf_aap_token_migration_factory_aap_sa_token.resources[0].data.token | b64decode }}"
      no_log: "{{ create_mf_aap_token_secure_logging }}"

@stevefulme1

Copy link
Copy Markdown
Contributor Author

@jeffcpullen Thanks for running it and flagging those! I've pushed a fix (deaa285) that resolves all 11 false positives:

Changes to .gitleaks.toml:

  1. Added README.md to the global path allowlist — these files contain docsible-generated variable documentation (e.g., <b>vm_ssh_openshift_api_key:</b> OpenShift API Key), not actual secrets
  2. Added <b>.*</b> regex allowlist — catches the HTML bold tag pattern used to document variable names in READMEs
  3. Added [>|][+-]?\s*$ regex allowlist — catches multi-line YAML block scalars (>-, |, etc.) where the value is a Jinja2 template on the following line (e.g., create_mf_aap_token_openshift_api_key: >-)
  4. Extended per-rule path allowlists — added README.md and tasks/main.yml to the openshift-api-key and container-registry-password rules

Verified locally: gitleaks detect --config .gitleaks.toml -v now returns 0 leaks across all 43 commits.

sabre1041
sabre1041 previously approved these changes Apr 14, 2026

@sabre1041 sabre1041 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@burigolucas burigolucas self-requested a review June 26, 2026 08:45
stevefulme1 and others added 3 commits June 26, 2026 11:21
Adds .gitleaks.toml with custom rules for Ansible-specific credential
patterns (OpenShift API keys, Automation Hub tokens, container registry
passwords) and allowlists for placeholder values and Jinja2 templates.
Adds a GitHub Actions workflow to run Gitleaks on pushes and PRs.

Resolves: MFG-376

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add allowlists for docsible-generated README.md variable documentation
(HTML bold tags), multi-line YAML block scalars (>- / |) where values
are Jinja2 templates on the following line, and task files that reference
credential variable names without containing actual secrets.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove pull_request_target trigger to prevent untrusted PR code from
running with write permissions. Remove conditional fork-detection logic
and explicit SHA checkout that are no longer needed.

@burigolucas burigolucas left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new gitleaks workflow add two changes to the current secret scanning in the pre-commit and CI workflows:

  1. It performs a full git history scanning not done in the other workflows
  2. Uses a customization to the gitleaks config that extends the default configuration

The advantage of adding this workflow is the clear separation of concerns. This new workflow will provide secret scanning to all PRs (internal and from forks) without the need of manual approving as in the case of the CI workflow.

We should then consider whether we need to use the same gitleaks configuration to the other workflows as well.

Comment thread CODE_OF_CONDUCT.md
Comment thread CONTRIBUTING.md
Comment thread COPYING Outdated
Comment thread SECURITY.md Outdated
Comment thread .github/workflows/gitleaks.yml
Comment thread .github/workflows/gitleaks.yml Outdated
- Revert CODE_OF_CONDUCT.md, CONTRIBUTING.md to main (handled in PR redhat-cop#31)
- Remove COPYING and SECURITY.md (handled in PR redhat-cop#31)
- Add explicit permissions block to gitleaks workflow
- Bump gitleaks-action from v2 to v3
Comment thread .github/workflows/gitleaks.yml Outdated
Comment thread .github/workflows/gitleaks.yml Outdated
Comment thread .github/workflows/gitleaks.yml Outdated
Per review feedback: remove with/args block, pass config via
GITLEAKS_CONFIG env var, add GITLEAKS_LICENSE secret required by v3.
gitleaks-action v3 requires a paid GITLEAKS_LICENSE secret.
Switch to installing gitleaks CLI directly — free, no license needed,
same detection capability.
Hardcoded v8.27.2 returned 404. Now fetches latest release tag
from GitHub redirect header at install time.
@stevefulme1

Copy link
Copy Markdown
Contributor Author

@burigolucas The CI failure on ansible-validate-tokens (run #26514770755) is a missing AUTOMATION_HUB_TOKEN secret in repo settings — not a code issue.

AUTOMATION_HUB_TOKEN is not defined. Exiting

Could you (or a repo admin) add the AUTOMATION_HUB_TOKEN secret under Settings → Secrets and variables → Actions?

@burigolucas

Copy link
Copy Markdown
Contributor

The root cause is not that. The token is defined but it is not available to the pull_request event for security reasons. The CI must run through the pull_request_target event that we must manually approve first. I will do it once I am back to the keyboard

@burigolucas burigolucas merged commit d22334c into redhat-cop:main Jul 2, 2026
24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants