Skip to content

CI: secrets-scan#83

Open
Hardonian wants to merge 1 commit into
mainfrom
ci-hardening-0711
Open

CI: secrets-scan#83
Hardonian wants to merge 1 commit into
mainfrom
ci-hardening-0711

Conversation

@Hardonian

Copy link
Copy Markdown
Owner

Adds gitleaks secret scanning Action.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bc2f19c86b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: gitleaks/gitleaks-action@v2

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Pass GITHUB_TOKEN to the gitleaks action

For pull_request runs, gitleaks/gitleaks-action@v2 exits before scanning when process.env.GITHUB_TOKEN is unset; I checked the v2 action source, which logs that GITHUB_TOKEN is now required to scan pull requests and calls process.exit(1). This workflow triggers on pull requests but does not provide the token in the step env, so every PR scan will fail before checking for leaks; add env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} on this step.

Useful? React with 👍 / 👎.

scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Fetch full history before running the scan

actions/checkout fetches only the triggering commit by default, but the v2 gitleaks action builds git log ranges such as baseRef^..headRef from the first/last PR commits and its own usage example sets fetch-depth: 0. On pull requests (and multi-commit pushes), those commits are often not present in a depth-1 checkout, so the scan can error out or miss the intended range; configure this checkout step with fetch-depth: 0.

Useful? React with 👍 / 👎.

- uses: actions/checkout@v4
- uses: gitleaks/gitleaks-action@v2
with:
config-path: .gitleaks.toml

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: config-path: .gitleaks.toml references a config file that does not exist in the repo

The workflow sets config-path: .gitleaks.toml, but no such file exists at the repo root (confirmed: no .gitleaks.toml is present in the tree). gitleaks-action passes --config .gitleaks.toml to gitleaks, which fails with failed to load config: open .gitleaks.toml: no such file or directory. As a result the scan step errors on every run and the secret-scanning feature never actually runs.

Fix by either committing a .gitleaks.toml, or removing the config-path input so the action falls back to its bundled default config.


Reply with @kilocode-bot fix it to have Kilo Code address this issue.

@kilo-code-bot

kilo-code-bot Bot commented Jul 11, 2026

Copy link
Copy Markdown

Code Review Summary

Status: 1 New Issue Found (3 total open) | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 0
WARNING 1
SUGGESTION 0

Note: 2 additional open findings from a prior reviewer (Codex) are still active on this PR and not duplicated here:

  • Line 13: actions/checkout should use fetch-depth: 0
  • Line 14: pass GITHUB_TOKEN to the gitleaks action
Issue Details (click to expand)

WARNING

File Line Issue
.github/workflows/secrets-scan.yml 16 config-path: .gitleaks.toml points to a config file that does not exist in the repo, so the gitleaks scan fails on every run
Files Reviewed (1 file)
  • .github/workflows/secrets-scan.yml - 1 issue

Reviewed by hy3-20260706:free · Input: 59K · Output: 7.1K · Cached: 225.1K

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant