ci: add Gitleaks secret-scanning workflow#146
Merged
Conversation
Adds .github/workflows/gitleaks.yml tailored to CyClaw's security-workflow conventions: - push/PR to main, weekly Friday cron (staggered from existing scanners), and manual workflow_dispatch - full-history checkout (fetch-depth: 0) so every commit is scanned - deny-all top-level permissions with per-job least privilege (contents: read, pull-requests: write) - concurrency group that preserves uninterrupted scan history on main - third-party actions SHA-pinned with version comments (supply-chain safety) No paths-ignore: secret scanning covers the entire tree, including docs and config, since leaked credentials can appear anywhere.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
.github/workflows/gitleaks.yml— a Gitleaks secret-scanning workflow tailored to CyClaw rather than copied verbatim from the baseline.This was adapted from the baseline
gitleaks.ymlinCGFixIT/AzureAI-CopilotStudio-PersonalAgent-Instructionsand reshaped to match the conventions already used by CyClaw's security workflows (ci.yml,osv-scanner.yml,codeql.yml,pip-audit.yml).What it does
mainmain(differential gate before merge)workflow_dispatchfetch-depth: 0) so every commit is audited, not justHEAD.How it's tailored to CyClaw
CG Gitleaks Secret ScanCyClaw Gitleaks Secret Scan(matchesCyClaw CI,CodeQL Advanced,OSV-Scanner)contents: readpermissions: {}deny-all + per-job least privilege (mirrorsosv-scanner.yml)@v2/@v4# vX.Y.Zcomments (mirrorsci.yml/osv-scanner.yml/pip-audit.ymlsupply-chain convention)gitleaks-…group; superseded runs cancelled, butmainhistory preserved (mirrorsci.yml)Pinned versions
actions/checkout@34e1148…(v4) — the exact SHA already trusted inci.yml/pip-audit.ymlgitleaks/gitleaks-action@ff98106…(v2.3.9, latest v2 release)Notes / decisions
paths-ignore— unlikecodeql.yml, secret scanning intentionally covers the entire tree (docs/config included), since leaked credentials can appear anywhere.contents: read(full-history checkout) +pull-requests: write(annotate PR findings). Nosecurity-events: write/ SARIF upload is added, becausegitleaks-action@v2does not publish to the code-scanning tab by default — this keeps the permission set minimal and matches the baseline behavior.GITLEAKS_LICENSEis intentionally omitted — it's only required for GitHub Organization accounts;CGFixIT/CyClawis a personal account.Possible follow-up (not in this PR)
If false positives appear (e.g. dummy values like
GROK_API_KEY=dummyused in CI, or example endpoints inconfig.yaml), a.gitleaks.tomlallowlist can be added later. It's deliberately omitted here so the default ruleset isn't weakened before we see real signal.Verification
yaml.safe_load).🤖 Generated with Claude Code
Generated by Claude Code