Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .github/workflows/secrets-scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
name: Secrets Scan

on:
push:
branches: [main]
pull_request:
branches: [main]

jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Fetch full history before running the scan

actions/checkout fetches only the triggering commit by default, but the v2 gitleaks action builds git log ranges such as baseRef^..headRef from the first/last PR commits and its own usage example sets fetch-depth: 0. On pull requests (and multi-commit pushes), those commits are often not present in a depth-1 checkout, so the scan can error out or miss the intended range; configure this checkout step with fetch-depth: 0.

Useful? React with 👍 / 👎.

- uses: gitleaks/gitleaks-action@v2

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Pass GITHUB_TOKEN to the gitleaks action

For pull_request runs, gitleaks/gitleaks-action@v2 exits before scanning when process.env.GITHUB_TOKEN is unset; I checked the v2 action source, which logs that GITHUB_TOKEN is now required to scan pull requests and calls process.exit(1). This workflow triggers on pull requests but does not provide the token in the step env, so every PR scan will fail before checking for leaks; add env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} on this step.

Useful? React with 👍 / 👎.

with:
config-path: .gitleaks.toml

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: config-path: .gitleaks.toml references a config file that does not exist in the repo

The workflow sets config-path: .gitleaks.toml, but no such file exists at the repo root (confirmed: no .gitleaks.toml is present in the tree). gitleaks-action passes --config .gitleaks.toml to gitleaks, which fails with failed to load config: open .gitleaks.toml: no such file or directory. As a result the scan step errors on every run and the secret-scanning feature never actually runs.

Fix by either committing a .gitleaks.toml, or removing the config-path input so the action falls back to its bundled default config.


Reply with @kilocode-bot fix it to have Kilo Code address this issue.

Loading