chore: add gitleaks workflow and mock secret for testing#6
chore: add gitleaks workflow and mock secret for testing#6duongtronghoa6a-debug wants to merge 2 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
Adds automated secret scanning on pull requests using Gitleaks, and introduces a sample “mock secret” file intended to validate detection behavior.
Changes:
- Add a new GitHub Actions workflow to run Gitleaks on PRs targeting
mainanddev - Add
mock-secret.txtcontaining an AWS-key-like value for testing secret detection
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
mock-secret.txt |
Adds a mock credential-like string intended to trigger Gitleaks. |
.github/workflows/gitleaks.yml |
Introduces a PR-triggered Gitleaks scanning workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -0,0 +1,2 @@ | |||
| # Dòng này cố tình chứa secret giả để test Gitleaks trong quá trình làm đồ án | |||
| AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE | |||
There was a problem hiding this comment.
This committed file contains a string matching an AWS Access Key ID pattern. Even if it’s intentionally fake, it will be flagged by Gitleaks and also normalizes committing credential-like material into the repo. Prefer generating this test secret during the workflow run (or using a non-matching placeholder), and keep real-looking secrets out of version control.
| AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE | |
| AWS_ACCESS_KEY_ID=TEST_ACCESS_KEY_PLACEHOLDER |
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| - uses: gitleaks/gitleaks-action@v2 |
There was a problem hiding this comment.
This workflow runs gitleaks without referencing the repo’s existing gitleaks.toml / .gitleaksignore configuration, so allowlisted paths won’t be applied and results may differ from the existing nightly scan. Consider passing the config/ignore via the action inputs (or args) to ensure consistent findings across workflows.
| - uses: gitleaks/gitleaks-action@v2 | |
| - uses: gitleaks/gitleaks-action@v2 | |
| with: | |
| args: --config=.gitleaks.toml --gitleaks-ignore-path=.gitleaksignore |
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
With fetch-depth: 0 and no explicit “no-git/diff-only” mode, this is likely to scan full git history on every PR, which can be significantly slower and may surface unrelated historical findings. If the intent is to scan just the working tree for the PR, configure gitleaks accordingly and keep the checkout shallow to reduce runtime.
| fetch-depth: 0 | |
| fetch-depth: 1 |
No description provided.