Skip to content

CI: always-on gitleaks secret scanning#439

Merged
MikeyPetrillo merged 2 commits into
mainfrom
claude/sweet-brown-i99jl3
Jul 18, 2026
Merged

CI: always-on gitleaks secret scanning#439
MikeyPetrillo merged 2 commits into
mainfrom
claude/sweet-brown-i99jl3

Conversation

@MikeyPetrillo

Copy link
Copy Markdown
Owner

Adds committed-secret scanning that runs on every push and PR, independent of the deploy marker system.

What

  • .github/workflows/secret-scan.yml: always-on (not marker-gated). Downloads a pinned, checksum-verified gitleaks 8.21.2 and scans the working tree on every push to a tracked branch and every pull request.
  • .gitleaks.toml: extends the default high-signal ruleset (OpenAI sk- keys, GitHub/AWS tokens, private keys, mnemonics) and allowlists this repo's structural false positives.

Allowlist is precise, not blanket

Each entry was verified against a full tree + history scan. The pre-existing hits are all non-secrets: public EVM contract/wallet addresses (allowlisted as 40-hex, so a real 64-hex private key still fires), the standard demo JWT used as the decode-jwt worked example, and the leak-guard test's own canary fixtures. Test-file and docs paths are allowlisted since they carry fake creds by design.

Verified

Without the config: 17 tree findings, all confirmed public addresses / demo JWTs / fake fixtures. With the config: tree scans clean, and the pinned linux asset name + checksum grep both resolve (HTTP 200, sha256 match). One history-only hit (a UUID in a since-removed, now-gitignored .remember/ notes file) does not affect the tree scan.

Real secrets live only in Railway env and GitHub Actions secrets, never in the repo — this workflow keeps it that way.

🤖 Generated with Claude Code

MikeyPetrillo and others added 2 commits July 17, 2026 22:27
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
New .github/workflows/secret-scan.yml runs on every push to a tracked branch
and every pull request (NOT marker-gated, unlike deploy.yml): a committed
credential should never depend on remembering a marker. It downloads a pinned,
checksum-verified gitleaks 8.21.2 and scans the working tree.

.gitleaks.toml extends the default high-signal ruleset (OpenAI sk- keys,
GitHub/AWS tokens, private keys, mnemonics) and allowlists this repo's
structural false positives, each verified against a full tree + history scan:
public EVM addresses (40-hex, so a 64-hex private key still fires), the
standard demo JWT used as the decode-jwt example, and the leak-guard test's
own canary fixtures. With the config the current tree scans clean.

Verified locally: without the config gitleaks flags 17 tree hits, all public
addresses / demo JWTs / fake fixtures; with the config the tree is clean and
the pinned linux asset + checksum grep both resolve. Real secrets live only in
Railway env and GitHub Actions secrets, never in the repo.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@MikeyPetrillo
MikeyPetrillo marked this pull request as ready for review July 18, 2026 03:04
@MikeyPetrillo
MikeyPetrillo merged commit 66b7e64 into main Jul 18, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant