This repository contains organization-wide defaults for all Schedule-Key repos.
Every repo in the Schedule-Key org uses Gitleaks to scan for hardcoded secrets (API keys, passwords, tokens).
How it works:
- Runs on every pull request and push to main branches (main, master, beta, development, dev)
- Downloads the official gitleaks binary from gitleaks/gitleaks releases
- PRs: scans only the commits in the PR
- Pushes: scans the latest commit
- If secrets are found, the check fails and you get an email notification
-
Copy the workflow file from
workflow-templates/gitleaks.ymlto your new repo at.github/workflows/gitleaks.ymlOr use the GitHub UI: go to your repo > Actions > "New workflow" > find "Gitleaks Secret Scanning" in the org templates.
-
Push to all branches that need protection (master, beta, development, etc.)
-
That is it. No license key, no secrets, no configuration needed.
If gitleaks catches something:
| Finding | Fix |
|---|---|
| Real secret | Rotate immediately, remove from code, use environment variables |
| False positive (one line) | Add # gitleaks:allow comment on the line |
| False positive (specific finding) | Add the fingerprint to .gitleaksignore in the repo root |
| False positive (pattern) | Add an allowlist rule to .gitleaks.toml in the repo root |
All developers should install gitleaks locally for pre-commit scanning:
brew install gitleaksThe global pre-commit hook at ~/.git-hooks/pre-commit automatically runs gitleaks protect --staged before every commit.
Each repo has detailed docs at docs/SECURITY_SCANNING.md.
The public-facing org profile is in profile/README.md.