Skip to content

Add Gitleaks secret scanning to CI pipeline#2

Merged
teomarcdhio merged 3 commits intomainfrom
copilot/add-gitleaks-secret-scanning
Jan 25, 2026
Merged

Add Gitleaks secret scanning to CI pipeline#2
teomarcdhio merged 3 commits intomainfrom
copilot/add-gitleaks-secret-scanning

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Jan 24, 2026
edited
Loading

Implements automated credential detection on all pushes and PRs to prevent hardcoded secrets from entering the codebase.

Implementation

  • .github/workflows/secret-scanning.yml: GitHub Actions workflow using gitleaks/gitleaks-action@v2

    • Triggers on push and PR to all branches (branches: ['**'])
    • Least-privilege permissions (contents: read)
    • Full git history scan (fetch-depth: 0)
    • Build fails on detection

  • .gitleaks.toml: Configuration extending default Gitleaks rules

    • Detects API keys, tokens, passwords, private keys across all file types (Python, YAML, Bash, Kubernetes, Ansible, etc.)
    • Allowlist support for managing false positives (by path, regex, commit, stopword)

  • .github/SECRET_SCANNING.md: Documentation covering detected secret types, remediation procedures, and local testing setup

Workflow Behavior

When secrets are detected, users must either remove and rotate the credential, or add to allowlist if false positive.

Original prompt

This section details on the original issue you should resolve

<issue_title>Add Gitleaks secret scanning to CI pipeline</issue_title>
<issue_description>Implements automated credential detection on every push and PR to prevent hardcoded secrets from entering the codebase.

Changes
.github/workflows/secret-scanning.yml: GitHub Action workflow using Gitleaks v2 to scan for API keys, tokens, passwords, private keys, and other credentials across all file types (Python, Bash, JavaScript, YAML, Kubernetes manifests, Ansible playbooks, etc.)

.gitleaks.toml: Configuration file extending default Gitleaks rules with allowlist support for managing false positives

.github/SECRET_SCANNING.md: Documentation covering detected secret types, trigger conditions, remediation steps, and local testing

Behavior
Workflow fails the build when secrets are detected. Users must either remove the credential and rotate it, or add it to the allowlist if it's a false positive.

Example trigger configuration

on:
push:
branches: ['']
pull_request:
branches: ['']
Permissions follow least-privilege principle (contents: read only).</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 2 commits January 24, 2026 17:20
@teomarcdhio
Add Gitleaks secret scanning to CI pipeline
85f1e82 
Co-authored-by: teomarcdhio <11707080+teomarcdhio@users.noreply.github.com>
@teomarcdhio
Update documentation to use generic version placeholders
ece683c 
Co-authored-by: teomarcdhio <11707080+teomarcdhio@users.noreply.github.com>
Copilot AI changed the title [WIP] Add Gitleaks secret scanning to CI pipeline Add Gitleaks secret scanning to CI pipeline Jan 24, 2026
Copilot AI requested a review from teomarcdhio January 24, 2026 17:23
@teomarcdhio teomarcdhio marked this pull request as ready for review January 25, 2026 14:02
@teomarcdhio teomarcdhio merged commit 1ef5ae9 into main Jan 25, 2026
1 of 2 checks passed
@teomarcdhio teomarcdhio deleted the copilot/add-gitleaks-secret-scanning branch January 25, 2026 14:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@teomarcdhio teomarcdhio teomarcdhio approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@teomarcdhio teomarcdhio

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add Gitleaks secret scanning to CI pipeline

2 participants

@teomarcdhio