feat(workflows): gitleaks-caller (Org-Rollout)#4
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5e56eec8b5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| jobs: | ||
| gitleaks: | ||
| name: gitleaks-scan | ||
| uses: Klangschalen/.github/.github/workflows/gitleaks-scan.yml@main |
There was a problem hiding this comment.
uses: Klangschalen/.github/.github/workflows/gitleaks-scan.yml@main references a mutable branch, so every run can execute different code than what was reviewed in this repo. Because this job also sets secrets: inherit, a compromised or force-updated main branch in the shared workflow repo could run with this repository’s inherited secrets and token scope. Pinning the reusable workflow to a full commit SHA makes runs reproducible and removes this supply-chain class of risk.
Useful? React with 👍 / 👎.
1 participant
Pilot war https://github.com/Klangschalen/security-scanner-laravel/pull/52. Caller laeuft jetzt org-weit.
fail-on-detection: falsefuer ersten Lauf - Findings warnen ohne zu blockieren. Nach History-Cleanup pro Repo auftruesetzen.SOTA: https://github.com/Klangschalen/claude-config/blob/master/docs/sota/gitleaks-installation-2026-05-24.md
🤖 Generated with Claude Code