Skip to content

fix(leak-scan): install gitleaks+trufflehog with SHA pins; fail-closed all-refs mode#63

Merged
jorisjonkers-dev-agents[bot] merged 2 commits into
mainfrom
fix/leak-scan-install-tools
Jul 10, 2026
Merged

fix(leak-scan): install gitleaks+trufflehog with SHA pins; fail-closed all-refs mode#63
jorisjonkers-dev-agents[bot] merged 2 commits into
mainfrom
fix/leak-scan-install-tools

Conversation

@jorisjonkers-dev-agents

Copy link
Copy Markdown
Contributor

Summary

  • Adds SHA-256-pinned install steps for gitleaks v8.30.1 and trufflehog v3.95.9 to actions/leak-scan/action.yml. Tarballs are verified against pinned checksums before installation. Install is idempotent: skips download when the tool is already on PATH.
  • Hardens run.sh: in all-refs mode, gitleaks being absent after the install step now causes an immediate job failure (E_GITLEAKS_MISSING) instead of the previous warn-and-continue behaviour. pr-diff mode retains its graceful warning; existing callers using pr-diff (e.g. homelab-deploy pipeline.yml) are unaffected.
  • Adds T-D7 test group (11 tests) covering install step presence, version and SHA pinning, idempotency, checksum verification, and the fail-closed all-refs contract.

Verified against run https://github.com/JorisJonkers-dev/homelab-deploy/actions/runs/29074833445 which showed the silent-degradation path.

Test plan

  • CI Python Tests pass (148 tests, 91% coverage)
  • Actionlint passes
  • YAML validity passes
  • After release, bump homelab-deploy's pinned ref and re-dispatch leak-scan-all-refs.yml to confirm a real gitleaks all-refs scan executes

@jorisjonkers-dev-agents jorisjonkers-dev-agents Bot added type: bug Something is broken or behaving incorrectly. area: tooling Reusable workflows, Gradle, templates, Renovate, and API tooling. labels Jul 10, 2026
…mode

Add SHA-256-pinned install steps for gitleaks v8.30.1 and trufflehog
v3.95.9 to actions/leak-scan/action.yml.  Each step is idempotent
(skips download when the tool is already on PATH) and verifies the
release tarball checksum before installation.

Harden run.sh: in all-refs mode, gitleaks being absent after the install
step now causes an immediate job failure (E_GITLEAKS_MISSING) instead of
the previous warn-and-continue behaviour.  pr-diff mode retains its
graceful warning so callers that rely on deny-list-only fallback are
unaffected.

Add T-D7 test group (11 tests) covering install step presence, version
and SHA pinning, idempotency, checksum verification, and the fail-closed
all-refs contract.
…guard position

Add continue-on-error: true to both install steps so that a failed
download or checksum mismatch does not abort the composite action before
run.sh executes.  run.sh enforces the fail-closed contract for all-refs
(E_GITLEAKS_MISSING) and the graceful warning for pr-diff, so the
correct behaviour is preserved regardless of install outcome.

Move the if __name__ == "__main__" guard to the physical end of
test_deploy_platform_d.py so that the T-D7 test class is not skipped
when the file is executed directly.
@jorisjonkers-dev-agents jorisjonkers-dev-agents Bot force-pushed the fix/leak-scan-install-tools branch from 8082775 to 6687500 Compare July 10, 2026 07:00
@jorisjonkers-dev-agents jorisjonkers-dev-agents Bot merged commit 1ddf81e into main Jul 10, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: tooling Reusable workflows, Gradle, templates, Renovate, and API tooling. type: bug Something is broken or behaving incorrectly.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant