Add secret detection with git hooks#3
Merged
OleksandrKucherenko merged 8 commits intomainfrom Nov 20, 2025
Merged
Conversation
Implement comprehensive secret detection to prevent accidental commits of sensitive information (API keys, passwords, tokens, etc.). Changes: - Add gitleaks, trufflehog, and lefthook to mise.toml - Configure lefthook for git hooks management (lefthook.yml) - Add gitleaks configuration (.gitleaks.toml) - Add trufflehog configuration (.trufflehog.yaml) - Create setup script (bin/01-setup-git-hooks.sh) - Add mise task for git hooks setup (mise run setup-git-hooks) - Add comprehensive security documentation (SECURITY.md) The implementation uses: - Lefthook: Fast git hooks manager (BASH-friendly) - Gitleaks: Fast regex-based secret scanner - TruffleHog: Deep scanner with entropy analysis and verification Git hooks run automatically on: - pre-commit: Scan staged files before commit - pre-push: Scan commits before push (safety net) Setup: mise install && mise run setup-git-hooks See SECURITY.md for full documentation.
Implement automated secret detection at the CI level to ensure secrets cannot bypass local git hooks and reach the repository. Changes: - Add GitHub Actions workflow for secret detection (.github/workflows/secret-detection.yml) - Configure Gitleaks and TruffleHog jobs for parallel scanning - Upload Gitleaks results to GitHub Security tab (SARIF) - Post automated PR comments with scan results and action items - Update existing comments instead of creating duplicates - Fail builds when secrets are detected (blocks merging) CI Features: - Runs on all PRs and pushes to main/master/develop/release branches - Cannot be bypassed (unlike local hooks) - Uses same configurations as local hooks (.gitleaks.toml, .trufflehog.yaml) - Provides clear feedback with emojis and tables - Links to SECURITY.md for guidance Documentation: - Update SECURITY.md with comprehensive CI integration section - Document CI workflows, triggers, and permissions - Add viewing results guide (PR comments, Security tab, logs) - Update best practices to include CI monitoring - Create .github/workflows/README.md with workflow documentation This ensures multi-layered protection: 1. Local git hooks (pre-commit, pre-push) 2. CI/CD checks (cannot be bypassed) 3. GitHub Security tab for tracking and monitoring
🔒 Secret Detection ReportStatus: ✅ Passed No secrets detected in your changes. Scan Results
✅ All Clear!No secrets detected in your changes. Great job maintaining security! 🎉 🤖 Automated security scan powered by Gitleaks and TruffleHog |
The TruffleHog GitHub Action automatically adds the --fail flag, causing a "flag 'fail' cannot be repeated" error when we also specify it in extra_args. Changes: - Remove --fail from extra_args (action adds it automatically) - Remove --config flag (may not work with action's container setup) - Keep --only-verified and --no-update flags - Add comment explaining --fail is automatic The workflow will still fail on detected secrets as intended, but without the duplicate flag error.
Fix configuration error in .gitleaks.toml that was causing CI failure:
'Allowlist.RegexTarget' expected type 'string', got unconvertible type 'map[string]interface {}'
Changes:
- Move age public key pattern to main [allowlist] regexes array
- Remove incorrect [allowlist.regexTarget] section
- Add comment explaining age public keys are safe to allowlist
The regexTarget subsection was using incorrect TOML syntax.
Gitleaks expects allowlist regexes to be directly under [allowlist],
not under a regexTarget subsection with its own regexes key.
This fixes the gitleaks CI job that was failing to parse the config.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Suppress generic-api-key false positive in SECURITY.md line 109 which is just a markdown heading, not an actual secret.
The TruffleHog action automatically adds the --no-update flag, so passing it in extra_args causes a 'flag cannot be repeated' error.
Include the commit SHA (short form with link) in the secret detection PR comment for better traceability, similar to CI cost estimations.
Use context.payload.pull_request.head.sha to get the actual commit on the PR branch, not the temporary merge commit that GitHub creates.
OleksandrKucherenko
deleted the
claude/add-secret-detection-01FSmLbo5GJG9fTWZoNgbsEc
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implement comprehensive secret detection to prevent accidental commits of sensitive information (API keys, passwords, tokens, etc.).
Changes:
The implementation uses:
Git hooks run automatically on:
Setup: mise install && mise run setup-git-hooks
See SECURITY.md for full documentation.