Skip to content

Feature/setup gitleaks #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
duongtronghoa6a-debug wants to merge 4 commits into from
Closed

Feature/setup gitleaks #7

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8a91907
chore: add gitleaks workflow and mock secret for testing
duongtronghoa6a-debug May 1, 2026
3cda91a
fix: use a more realistic mock secret
duongtronghoa6a-debug May 1, 2026
97394d0
fix: use RSA private key for gitleaks detection
duongtronghoa6a-debug May 1, 2026
7784835
fix: remove mock secret to pass gitleaks
duongtronghoa6a-debug May 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions .github/workflows/gitleaks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
name: Gitleaks Scan

on:
pull_request:
branches:
- main
- dev

jobs:
scan:
name: gitleaks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Copilot AI May 1, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR introduces a PR-time Gitleaks workflow, but it doesn’t use the repo’s existing gitleaks.toml configuration / allowlist (the nightly workflow runs detect with --config=/work/gitleaks.toml). As a result, PR scans may produce different findings than nightly runs (including false positives or misses). Configure this action to run with the same config/ignore setup as the existing nightly job so results are consistent.

Suggested change
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_CONFIG: ${{ github.workspace }}/gitleaks.toml

Copilot uses AI. Check for mistakes.
Comment on lines +17 to +19

Copilot AI May 1, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow uses gitleaks/gitleaks-action@v2, which may run a different Gitleaks engine version than the nightly scan (currently pinned to zricethezav/gitleaks:v8.18.4). That can lead to inconsistent detections between PR and nightly runs. Consider pinning the underlying Gitleaks version (or switching both workflows to the same invocation method) to keep behavior stable and comparable over time.

Suggested change
- uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Run Gitleaks
run: |
docker run --rm \
-v "${{ github.workspace }}:/repo" \
-w /repo \
zricethezav/gitleaks:v8.18.4 \
git --no-banner

Copilot uses AI. Check for mistakes.
Loading