ci: add secret-scan (gitleaks) job to satisfy push-protection compliance

[don-petry]

Summary

• Adds the required secret-scan job to ci.yml per the push-protection standard
• Addresses the secret_scan_ci_job_present compliance check (severity: error)
• Uses full-history checkout (fetch-depth: 0), --redact to protect logs, and --exit-code 1 to fail on any finding
• Both actions pinned to commit SHAs per Action Pinning Policy

Notes on security_and_analysis_unavailable

The compliance audit reports this because the audit token lacks admin scope to read the repo's security_and_analysis settings. Those settings (secret scanning, push protection, Dependabot security updates) need to be enabled by a repo/org admin via the GitHub UI or API. The code-side contribution we can make is ensuring the CI layer (gitleaks) is in place — which this PR delivers.

Closes #95

Generated with Claude Code

[coderabbitai]

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 54 minutes and 21 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c59ac669-64b0-4e9c-86a0-3919f204db63

📥 Commits

Reviewing files that changed from the base of the PR and between d8da2d2 and abb58a9.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• .gitignore
• .gitleaks.toml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-95-20260414-1303

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

@don-petry This PR adds the required secret-scan (gitleaks) job to ci.yml to address the push-protection compliance finding. Please review and merge when CI is green.

[Copilot]

Pull request overview

Adds a CI “secondary defense” secret-scanning layer by introducing a dedicated secret-scan job (Gitleaks) into the main CI workflow, aligning the repo with the push-protection standard and addressing the secret_scan_ci_job_present compliance check.

Changes:

• Adds a new secret-scan job to .github/workflows/ci.yml that runs Gitleaks and fails the workflow on findings.
• Uses full-history checkout (fetch-depth: 0) and passes --redact to reduce risk of secret exposure in logs.
• Pins both actions/checkout and gitleaks/gitleaks-action to specific commit SHAs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[don-petry]

Outdated review (superseded by re-review at 8f633149a01a1acef2365b0ff1ccc40e1ccda2d2) — click to expand.

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

• [major] .github/workflows/ci.yml — gitleaks-action v2 (SHA ff98106e4c7b2bc287b24eaf42907196329070c7) does NOT accept an args input. Runner logs show: ##[warning]Unexpected input(s) 'args', valid inputs are ['']. This means --redact, --verbose, and --exit-code 1 are all silently ignored. The PR description claims the --redact flag protects logs and --exit-code 1 fails the build on findings — neither claim is currently true. Fix: either switch to a version of the action that supports these flags, invoke the gitleaks binary directly, or use gitleaks-action v1 which accepts args differently.

• [major] .github/workflows/ci.yml — The "Secret scan (gitleaks)" check fails with 🛑 missing gitleaks license. Go grab one at gitleaks.io and store it as a GitHub Secret named GITLEAKS_LICENSE. gitleaks-action v2 requires a commercial license for GitHub organizations. Until a GITLEAKS_LICENSE secret is added, this job will always fail — the action never scans anything. Options: (1) purchase a license and add GITLEAKS_LICENSE secret; (2) replace with the self-hosted gitleaks binary (free) invoked from a shell step; (3) use an alternative like trufflehog.

• [minor] .github/workflows/ci.yml — gitleaks-action v2 phones home to gitleaks.io for license validation on every run, extending the supply-chain trust boundary with a runtime dependency on a third-party licensing service. Consider replacing with a direct invocation of the gitleaks OSS binary (no phone-home, MIT-licensed).

• [minor] .github/workflows/ci.yml — Job grants security-events: write but the current invocation does not upload SARIF (no upload step; the args input is ignored so no SARIF would be produced regardless). Drop security-events: write until SARIF upload is actually wired up.

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on main if the branch is behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

[github-actions]

Auto-rebase blocked — the base branch contains .github/workflows/ changes that require the workflows permission to merge into this branch, but the auto-rebase workflow's token does not have that permission.

Please rebase this branch manually:

git fetch origin
git rebase origin/main
git push --force-with-lease

[don-petry]

CI fix: replaced gitleaks/gitleaks-action with direct CLI install

The Secret scan (gitleaks) job was failing with:

[petry-projects] is an organization. License key is required.

gitleaks/gitleaks-action requires a paid license for GitHub org repos. This commit replaces it with a direct CLI install approach that:

• Downloads gitleaks v8.30.1 binary via wget
• Verifies the download with sha256sum
• Runs gitleaks detect directly (no license needed)

Also removed the now-unnecessary security-events: write permission from the job.

[sonarqubecloud]

❌ The last analysis has failed.

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

[don-petry]

@dev-lead - please fix this PR

[don-petry]

Dev-Lead — review-changes (applied)

Changes committed and pushed.

[don-petry]

Dev-Lead — review-changes (applied)

Changes committed and pushed.

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push