From c3e34d3571986e33755048f40afffeca773f767d Mon Sep 17 00:00:00 2001 From: Divyam Talwar Date: Thu, 26 Mar 2026 02:16:10 +0530 Subject: [PATCH] ci(security): enforce gitleaks and drop pip-audit CVE ignore --- .github/workflows/security.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 4618bdd..b90c5c6 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -26,6 +26,22 @@ env: PYTHONUNBUFFERED: "1" jobs: + secret-scan: + runs-on: ubuntu-latest + timeout-minutes: 10 + permissions: + contents: read + steps: + - uses: actions/checkout@v6 + with: + persist-credentials: false + fetch-depth: 0 + - name: Run gitleaks + uses: gitleaks/gitleaks-action@v2 + env: + GITLEAKS_CONFIG: .gitleaks.toml + GITLEAKS_ENABLE_COMMENTS: false + dependency-review: if: > github.event_name == 'pull_request' && @@ -64,7 +80,7 @@ jobs: python -m pip freeze --exclude-editable > .pip-audit-requirements.txt python -m pip install pip-audit - name: Run pip-audit - run: pip-audit --strict --progress-spinner off -r .pip-audit-requirements.txt --ignore-vuln CVE-2026-4539 + run: pip-audit --strict --progress-spinner off -r .pip-audit-requirements.txt codeql: if: >