Skip to content

[SVLS-8660] ci: add gitleaks secrets scanning#1134

Open
litianningdatadog wants to merge 2 commits intotianning.li/SVLS-8660-ci-checksfrom
tianning.li/SVLS-8660-gitleak
Open

[SVLS-8660] ci: add gitleaks secrets scanning#1134
litianningdatadog wants to merge 2 commits intotianning.li/SVLS-8660-ci-checksfrom
tianning.li/SVLS-8660-gitleak

Conversation

@litianningdatadog
Copy link
Copy Markdown
Contributor

@litianningdatadog litianningdatadog commented Mar 26, 2026
edited
Loading

Summary

  • Adds `gitleaks` secrets scanning workflow (`.github/workflows/secrets-scan.yml`) triggered on every PR and push to `main`
  • Pins `gitleaks-action` to commit SHA (v2.3.9) consistent with repo convention
  • Adds `.gitleaks.toml` with documented allowlist structure for paths, regexes, and historical commits — includes maintenance guidance for future contributors
  • Addressed Copilot review feedback: add `permissions: contents: read`, enable `--redact` to prevent secrets appearing in CI logs, fix allowlist key reference in comments

Why

Secrets accidentally committed to a public repo (API keys, tokens, credentials) are the highest-severity risk for a public repository. Neither `cargo audit` nor Copilot catch this category. `gitleaks` uses pattern matching to block merges before a credential lands in `main`.

Test plan

  • Verify `Secrets Scan` job passes on this PR (no secrets in changed files)
  • After merging: add `Secrets Scan` as a required status check under `Repository Settings → Branches → main → Branch protection rules`
  • Optional smoke test: add a fake credential (e.g., `AKIAIOSFODNN7EXAMPLE`) to a comment on a test branch, confirm the job blocks it, then remove it

Related

🤖 Generated with Claude Code

@litianningdatadog litianningdatadog requested a review from a team as a code owner March 26, 2026 18:07
jchrostek-dd
jchrostek-dd reviewed Mar 26, 2026
View reviewed changes
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds automated secrets scanning to the repo’s CI to prevent credentials from reaching main, alongside configuration for suppressing known false positives.

Changes:

  • Add a new GitHub Actions workflow to run gitleaks on PRs and pushes to main
  • Add a .gitleaks.toml allowlist configuration with maintenance guidance
  • Add .github/copilot-instructions.md with security-focused code review guidance

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
.github/workflows/secrets-scan.yml Introduces the gitleaks secrets scanning CI job on PR/push events.
.gitleaks.toml Defines allowlist structure (paths/regexes/commits) and contributor guidance for handling findings.
.github/copilot-instructions.md Adds Copilot review instructions focused on PII/secrets logging, unsafe Rust, and error handling.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/copilot-instructions.md
Comment on lines +1 to +4
# Copilot Code Review Instructions

## Security — PII and Secrets

Copy link

Copilot AI Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description focuses on adding gitleaks scanning and .gitleaks.toml, but this PR also adds .github/copilot-instructions.md and references a strategy doc at .github/docs/ci-security-scanning-strategy.md that doesn’t appear to exist in the repo. Please confirm whether this file is intended to be part of this PR (vs the companion PR #1133) and update the PR description (or split the changes) to avoid confusion.

Copilot uses AI. Check for mistakes.
jchrostek-dd
jchrostek-dd reviewed Mar 26, 2026
View reviewed changes
.github/copilot-instructions.md
Comment on lines +17 to +26
## Security — Unsafe Rust

Flag new `unsafe` blocks and explain what invariant the author must uphold to make the
block safe. If there is a safe alternative, suggest it.

## Security — Error Handling

Flag cases where errors are silently swallowed (empty `catch`, `.ok()` without
handling, `let _ = result`) or where operations like `.unwrap()`/`.expect()` may panic,
in code paths that handle external input or network responses.
Copy link
Copy Markdown
Contributor

@jchrostek-dd jchrostek-dd Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why add this?

Is this from Claude/another agent? Did you just ask "What are important issues to check for in Rust PRs"?

Copy link
Copy Markdown
Contributor Author

@litianningdatadog litianningdatadog Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not exactly, these were in the implementation plan as intentional Copilot guidance for Rust-specific security patterns, not random AI additions. They cover different layers:

  • PII/Secrets — what not to log
  • Unsafe Rust — flag unsafe blocks and explain required invariants
  • Error Handling — catch silent failures in network/input paths

@duncanista
Copy link
Copy Markdown
Contributor

duncanista commented Mar 26, 2026

see if this pattern is used somewhere, we need a key to run this thing

@litianningdatadog litianningdatadog changed the base branch from main to tianning.li/SVLS-8660-ci-checks March 26, 2026 18:14
@litianningdatadog litianningdatadog force-pushed the tianning.li/SVLS-8660-ci-checks branch 2 times, most recently from 530325e to faba926 Compare March 27, 2026 18:05
@litianningdatadog @claude
ci: add gitleaks secrets scanning on PRs [SVLS-8660]
cb600c4 
- Add secrets-scan workflow triggered on PR and push to main
- Pin gitleaks-action to SHA (v2.3.9)
- Add .gitleaks.toml with documented allowlist structure for
  paths, regexes, and commits with maintenance guidance

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@litianningdatadog litianningdatadog force-pushed the tianning.li/SVLS-8660-gitleak branch from 0a2ea9c to 72adf5b Compare March 27, 2026 18:28
@litianningdatadog @claude
ci: address Copilot review feedback on secrets scanning [SVLS-8660]
efbe64d 
- Fix .gitleaks.toml comment to reference correct `commits` key under [allowlist]
- Add `permissions: contents: read` to secrets-scan workflow job
- Enable `--redact` flag to prevent secret values appearing in CI logs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@litianningdatadog litianningdatadog force-pushed the tianning.li/SVLS-8660-gitleak branch from 72adf5b to efbe64d Compare March 27, 2026 18:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jchrostek-dd jchrostek-dd jchrostek-dd left review comments

@duncanista duncanista duncanista approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@litianningdatadog @duncanista @jchrostek-dd