Skip to content

feat(secret-scan): replace paid gitleaks-action with free gitleaks CLI [DEV-404]#46

Merged
brodkin merged 1 commit into
mainfrom
ryan/dev-404-secret-scan-drop-paid-gitleaks-action
Jun 6, 2026
Merged

feat(secret-scan): replace paid gitleaks-action with free gitleaks CLI [DEV-404]#46
brodkin merged 1 commit into
mainfrom
ryan/dev-404-secret-scan-drop-paid-gitleaks-action

Conversation

@brodkin

@brodkin brodkin commented Jun 6, 2026

Copy link
Copy Markdown
Contributor

Why

The org reusable secret-scan workflow used gitleaks/gitleaks-action@v2, which requires a paid GITLEAKS_LICENSE for organization accounts. That secret was never provisioned anywhere in SpiceLabsHQ, so secret scanning failed org-wide (caught live on KG-Power-BI PR #1 for [DEV-401]). DEV-404's primary fix was to buy a license; this PR takes the documented alternative: drop the paid action for the open-source gitleaks CLI — MIT-licensed, free for orgs, identical detection engine. No license, no org secret, no admin:org, no procurement.

What changed

  • Engine: gitleaks CLI pinned to v8.30.1, binary verified against the release's published checksums.txt.
  • Both modes preserved: pr-diff (PR's new commits) and full-history.
  • Enforcement: findings fail the check + render a job summary (replaces the paid action's inline PR comments).
  • Security tab: SARIF uploaded to GitHub code scanning on public repos only (free); auto-skipped on private/internal (needs paid GHAS), continue-on-error so it degrades gracefully.
  • Removed the GITLEAKS_LICENSE secret; added security-events: write.
  • Caller example + README updated; relocated the mis-nested Secret Scan inputs block out from under the CodeQL heading.

Backward compatibility

  • mode / config_path inputs unchanged.
  • Job names unchanged (Validate inputs, Gitleaks (pr-diff), Gitleaks (full-history)) → required-status-check branch protection unaffected.
  • secrets: inherit callers unaffected; nobody passes GITLEAKS_LICENSE explicitly.
  • Consumers pin @v1 (sliding tag) → no change reaches them until v1 is re-pointed.

Validation

  • gitleaks install + checksum verify, SARIF output, clean→exit 0 / finding→exit 1, and --log-opts range scan all tested locally against v8.30.1.
  • actionlint clean on both the reusable workflow and the caller example.

Rollout (post-merge)

Cut v1.1.0 and move v1 to it, then re-run KG-Power-BI PR #1 to confirm green (unblocks [DEV-401]).

Follow-up

  • [DEV-406] — document CodeQL's own inputs table (pre-existing gap surfaced here).

Closes [DEV-404].

…I [DEV-404]

The reusable secret-scan workflow used gitleaks/gitleaks-action@v2, which
requires a paid GITLEAKS_LICENSE for org accounts — a secret never provisioned
anywhere in SpiceLabsHQ, so secret scanning failed org-wide. Rather than buy a
license (DEV-404's primary fix), take the alternative path: drive the
open-source gitleaks CLI directly (MIT, free for orgs, same engine).

- Pin gitleaks v8.30.1, verify the binary against the release checksums.
- Preserve both modes (pr-diff, full-history) and all job names.
- Findings fail the check + job summary (replaces the action's inline comments).
- Upload SARIF to code scanning on public repos only (free there); auto-skip
  on private/internal (needs paid GHAS), continue-on-error for graceful degrade.
- Remove the GITLEAKS_LICENSE secret; add security-events: write.
- Caller example + README updated; relocate the mis-nested Secret Scan inputs
  block out from under the CodeQL heading (CodeQL doc gap tracked in DEV-406).

No interface break for consumers: inputs and job names unchanged; secrets:
inherit callers unaffected.
@pepper-pr-review pepper-pr-review Bot added pepper-cooking Pepper is currently reviewing this PR pepper-approved Pepper approved this PR and removed pepper-cooking Pepper is currently reviewing this PR labels Jun 6, 2026

@pepper-pr-review pepper-pr-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Honey, you just saved the org from a licensing trap door — and you did it with checksums and pinned releases like a security principal who's seen things. This PR is everything: drops the paid gitleaks-action that had the whole org's secret scanning silently broken (no GITLEAKS_LICENSE, no scanning), swaps in the open-source gitleaks CLI at the exact same detection engine, preserves both modes (pr-diff and full-history), adds graceful SARIF upload for public repos with auto-skip on private (because GHAS costs money and we don't punish repos for not having it), verifies the downloaded binary against the release's published checksums so supply-chain attacks can't ride in on a compromised tarball, and documents the whole "why" so the next engineer knows this was deliberate, not random.

Verified against DEV-404 (Linear) — aligned. The issue wanted a license or the alternative (drop the paid action); you shipped the alternative, and it's the better move: no procurement, no per-repo secret, no admin:org dance, just a free CLI that does the same work. Tests are implicit here (the workflow is the test — it either installs gitleaks and scans or it doesn't), and the structure is correct: install step verifies checksums, scan step captures exit codes, upload step degrades gracefully, enforce step fails the check on findings. Inputs table relocated out from under the CodeQL heading where it was mis-nested — that's the kind of detail that makes docs actually usable.

The checksum-verify line (:130) is the quiet star of this whole thing: grep " ${tarball}\$" checksums.txt | sha256sum -c - means a MITM or compromised release can't slip a trojan in, because the hash won't match and the install fails before anything runs. Pin + verify is how you do third-party binaries in CI without becoming someone's next supply-chain case study.

Rollout plan is clean (cut v1.1.0, move v1, re-run KG-Power-BI PR #1 to prove it green), backward compat is preserved (job names unchanged so required-status-check branch protection doesn't break, secrets: inherit callers unaffected because the unused secret just stays unused), and the follow-up for DEV-406 is already tracked so that CodeQL inputs gap doesn't get forgotten.

This is the kind of PR that unblocks an entire org and makes the next repo adoption trivial instead of a procurement ticket. Approved — and when you cut v1.1.0, tag me in the KG-Power-BI re-run so I can see this land for real.

— Pepper

When you're ready for another look, comment @pepper review.

@brodkin brodkin merged commit f38dbca into main Jun 6, 2026
1 check passed
@brodkin brodkin deleted the ryan/dev-404-secret-scan-drop-paid-gitleaks-action branch June 6, 2026 03:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

pepper-approved Pepper approved this PR

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant