Feature/setup gitleaks#7
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a pull-request Gitleaks scan workflow (in addition to the existing nightly scan) and includes a sample “mock secret” file intended to exercise detection.
Changes:
- Added
mock-secret.txtcontaining a token-like string for testing Gitleaks detection. - Added
.github/workflows/gitleaks.ymlto run Gitleaks on pull requests targetingmainanddev.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
mock-secret.txt |
Introduces a test secret-like value (currently problematic to keep in-repo). |
.github/workflows/gitleaks.yml |
Adds PR-time Gitleaks scanning via gitleaks/gitleaks-action@v2. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Dòng này cố tình chứa secret giả để test Gitleaks trong quá trình làm đồ án | ||
| -----BEGIN PRIVATE KEY----- | ||
| MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDE | ||
| -----END PRIVATE KEY----- |
There was a problem hiding this comment.
This file commits a GitHub PAT-looking token string (ghp_...). Even if intended as a mock, it can trigger GitHub secret scanning / token revocation workflows and will cause the new Gitleaks job to fail, blocking merges. Replace it with a clearly non-secret placeholder (that does not match real token formats), or keep test fixtures outside the repo/CI scan via an allowlist entry (e.g., gitleaks.toml allowlist path) rather than committing a token-like value.
| # Dòng này cố tình chứa secret giả để test Gitleaks trong quá trình làm đồ án | |
| -----BEGIN PRIVATE KEY----- | |
| MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDE | |
| -----END PRIVATE KEY----- | |
| # Dòng này dùng placeholder không phải secret thật để test Gitleaks trong quá trình làm đồ án | |
| MOCK_PRIVATE_KEY_PLACEHOLDER_FOR_TESTING_ONLY | |
| NOT_A_REAL_KEY_OR_CREDENTIAL | |
| END_MOCK_PRIVATE_KEY_PLACEHOLDER |
| fetch-depth: 0 | ||
| - uses: gitleaks/gitleaks-action@v2 | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
This PR introduces a PR-time Gitleaks workflow, but it doesn’t use the repo’s existing gitleaks.toml configuration / allowlist (the nightly workflow runs detect with --config=/work/gitleaks.toml). As a result, PR scans may produce different findings than nightly runs (including false positives or misses). Configure this action to run with the same config/ignore setup as the existing nightly job so results are consistent.
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITLEAKS_CONFIG: ${{ github.workspace }}/gitleaks.toml |
| - uses: gitleaks/gitleaks-action@v2 | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
This workflow uses gitleaks/gitleaks-action@v2, which may run a different Gitleaks engine version than the nightly scan (currently pinned to zricethezav/gitleaks:v8.18.4). That can lead to inconsistent detections between PR and nightly runs. Consider pinning the underlying Gitleaks version (or switching both workflows to the same invocation method) to keep behavior stable and comparable over time.
| - uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Run Gitleaks | |
| run: | | |
| docker run --rm \ | |
| -v "${{ github.workspace }}:/repo" \ | |
| -w /repo \ | |
| zricethezav/gitleaks:v8.18.4 \ | |
| git --no-banner |
No description provided.