feat: add Gitleaks config and CI workflow#22
Conversation
|
@luizfao @jeffcpullen Would you be able to review the content of this PR? |
|
Not an expert it GitHub actions or Gitleaks, but it looks like what I would expect to see. I appreciate the carve out on specific files with specific criteria "changeme" password placeholders. Going to let this run to review the output. |
|
Ok, the run failed with 11 false positives. 10 of the 11 were looking at README.md files that do not contain secrets, but instead are documenting variables. For example, this line triggered Gitleaks. The last one triggered the 'create_mf_aap_token_openshift_api_key' variable becuase it uses a multi-line YAML format. |
|
@jeffcpullen Thanks for running it and flagging those! I've pushed a fix ( Changes to
Verified locally: |
Adds .gitleaks.toml with custom rules for Ansible-specific credential patterns (OpenShift API keys, Automation Hub tokens, container registry passwords) and allowlists for placeholder values and Jinja2 templates. Adds a GitHub Actions workflow to run Gitleaks on pushes and PRs. Resolves: MFG-376 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add allowlists for docsible-generated README.md variable documentation (HTML bold tags), multi-line YAML block scalars (>- / |) where values are Jinja2 templates on the following line, and task files that reference credential variable names without containing actual secrets. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove pull_request_target trigger to prevent untrusted PR code from running with write permissions. Remove conditional fork-detection logic and explicit SHA checkout that are no longer needed.
deaa285 to
e359002
Compare
burigolucas
left a comment
There was a problem hiding this comment.
The new gitleaks workflow add two changes to the current secret scanning in the pre-commit and CI workflows:
- It performs a full git history scanning not done in the other workflows
- Uses a customization to the gitleaks config that extends the default configuration
The advantage of adding this workflow is the clear separation of concerns. This new workflow will provide secret scanning to all PRs (internal and from forks) without the need of manual approving as in the case of the CI workflow.
We should then consider whether we need to use the same gitleaks configuration to the other workflows as well.
- Revert CODE_OF_CONDUCT.md, CONTRIBUTING.md to main (handled in PR redhat-cop#31) - Remove COPYING and SECURITY.md (handled in PR redhat-cop#31) - Add explicit permissions block to gitleaks workflow - Bump gitleaks-action from v2 to v3
Per review feedback: remove with/args block, pass config via GITLEAKS_CONFIG env var, add GITLEAKS_LICENSE secret required by v3.
gitleaks-action v3 requires a paid GITLEAKS_LICENSE secret. Switch to installing gitleaks CLI directly — free, no license needed, same detection capability.
Hardcoded v8.27.2 returned 404. Now fetches latest release tag from GitHub redirect header at install time.
|
@burigolucas The CI failure on Could you (or a repo admin) add the |
|
The root cause is not that. The token is defined but it is not available to the pull_request event for security reasons. The CI must run through the pull_request_target event that we must manually approve first. I will do it once I am back to the keyboard |
Summary
.gitleaks.tomlwith default rules extended by custom Ansible-specific credential detection patterns (OpenShift API keys, Automation Hub tokens, container registry passwords)changeme), Jinja2 template variables ({{ }}), Ansible Vault references, example domains, and YAML commentsdefaults/main.ymlandinventory.ymlwhere variable declarations use block scalar indicators.github/workflows/gitleaks.ymlGitHub Actions workflow to run Gitleaks on pushes to main and all PRs.pre-commit-config.yamlRelated
Test plan
gitleaks detect --config .gitleaks.toml --no-gitreports no false positives on the current codebase🤖 Generated with Claude Code