feat(workflows): add gitleaks binary-based secret scanning as PR gate (#734)

## Description

This PR introduces **gitleaks** as a binary-based secret scanning gate
across both CI pipelines, complementing GitHub's native secret scanning
with a locally verified, SHA-pinned binary that produces SARIF output
for the Security tab.

> The branch addresses #260 by creating a reusable workflow that
downloads, verifies, and runs gitleaks as part of every PR validation
and main-branch push.

### Gitleaks Reusable Workflow

A new *gitleaks-scan.yml* reusable workflow was created with three
configurable inputs: `soft-fail`, `upload-sarif`, and `upload-artifact`.
The workflow downloads gitleaks **v8.30.0**, verifies the tarball
against a pinned SHA256 checksum, and runs a full-repository scan in git
mode. SARIF output at `logs/gitleaks-results.sarif` integrates with
GitHub's Security tab via `github/codeql-action/upload-sarif`.

- Exit code handling distinguishes clean scans (0), detected secrets (1,
respects `soft-fail`), and unexpected errors
- A `.gitleaksignore` file is respected when present for suppressing
known findings
- Job summary table displays scan status directly in the Actions UI
- All third-party actions are pinned to full SHA with version comments

### Pipeline Integration

Both *pr-validation.yml* and *main.yml* now call the reusable workflow
with `soft-fail: false` and `upload-sarif: true`. The PR pipeline
disables artifact upload to reduce storage noise, while the main
pipeline retains artifacts for 90 days. The main pipeline's aggregation
gate job depends on `gitleaks-scan` completing successfully.

### Threat Model Documentation

The security threat model was updated to reflect expanded coverage. VM-2
now references both GitHub native scanning and the gitleaks PR gate. The
workflow coverage table includes a new `main.yml` row and lists gitleaks
as a security check for both pipelines.

## Related Issue(s)

Closes #260

## Type of Change

Select all that apply:

**Code & Documentation:**

- [ ] Bug fix (non-breaking change fixing an issue)
- [x] New feature (non-breaking change adding functionality)
- [ ] Breaking change (fix or feature causing existing functionality to
change)
- [x] Documentation update

**Infrastructure & Configuration:**

- [x] GitHub Actions workflow
- [ ] Linting configuration (markdown, PowerShell, etc.)
- [ ] Security configuration
- [ ] DevContainer configuration
- [ ] Dependency update

**AI Artifacts:**

- [ ] Reviewed contribution with `prompt-builder` agent and addressed
all feedback
- [ ] Copilot instructions (`.github/instructions/*.instructions.md`)
- [ ] Copilot prompt (`.github/prompts/*.prompt.md`)
- [ ] Copilot agent (`.github/agents/*.agent.md`)
- [ ] Copilot skill (`.github/skills/*/SKILL.md`)

> **Note for AI Artifact Contributors**:
>
> - **Agents**: Research, indexing/referencing other project (using
standard VS Code GitHub Copilot/MCP tools), planning, and general
implementation agents likely already exist. Review `.github/agents/`
before creating new ones.
> - **Skills**: Must include both bash and PowerShell scripts. See
[Skills](../docs/contributing/skills.md).
> - **Model Versions**: Only contributions targeting the **latest
Anthropic and OpenAI models** will be accepted. Older model versions
(e.g., GPT-3.5, Claude 3) will be rejected.
> - See [Agents Not
Accepted](../docs/contributing/custom-agents.md#agents-not-accepted) and
[Model Version
Requirements](../docs/contributing/ai-artifacts-common.md#model-version-requirements).

**Other:**

- [ ] Script/automation (`.ps1`, `.sh`, `.py`)
- [ ] Other (please describe):

## Sample Prompts (for AI Artifact Contributions)

<!-- If you checked any boxes under "AI Artifacts" above, provide a
sample prompt showing how to use your contribution -->
<!-- Delete this section if not applicable -->

**User Request:**
<!-- What natural language request would trigger this
agent/prompt/instruction? -->

**Execution Flow:**
<!-- Step-by-step: what happens when invoked? Include tool usage,
decision points -->

**Output Artifacts:**
<!-- What files/content are created? Show first 10-20 lines as preview
-->

**Success Indicators:**
<!-- How does user know it worked correctly? What validation should they
perform? -->

For detailed contribution requirements, see:

- **Common Standards**:
[docs/contributing/ai-artifacts-common.md](../docs/contributing/ai-artifacts-common.md)
- Shared standards for XML blocks, markdown quality, RFC 2119,
validation, and testing
- **Agents**:
[docs/contributing/custom-agents.md](../docs/contributing/custom-agents.md)
- Agent configurations with tools and behavior patterns
- **Prompts**:
[docs/contributing/prompts.md](../docs/contributing/prompts.md) -
Workflow-specific guidance with template variables
- **Instructions**:
[docs/contributing/instructions.md](../docs/contributing/instructions.md)
- Technology-specific standards with glob patterns
- **Skills**:
[docs/contributing/skills.md](../docs/contributing/skills.md) - Task
execution utilities with cross-platform scripts

## Testing

### Automated Validations

<!-- Checkbox results populated after Step 7 validation run -->

| Command | Status |
|---------|--------|
| `npm run lint:md` | Passed |
| `npm run spell-check` | Passed |
| `npm run lint:frontmatter` | Passed |
| `npm run validate:skills` | Passed |
| `npm run lint:md-links` | Passed (12 pre-existing broken links in
unrelated files) |
| `npm run lint:ps` | Passed |
| `npm run lint:yaml` | Passed |
| `npm run lint:version-consistency` | Passed |
| `npm run plugin:generate` | Passed (no diff) |

### Diff-Based Assessment

- All third-party actions verified as SHA-pinned with version comments
- `persist-credentials: false` confirmed on checkout step
- Permissions scoped to minimum required (`contents: read`,
`security-events: write`)
- Binary download verified via SHA256 checksum before execution
- No secrets or sensitive data present in the diff

### Manual Testing

Manual testing was not performed. Workflow execution validates on PR
creation and main-branch push.

## Checklist

### Required Checks

- [x] Documentation is updated (if applicable)
- [x] Files follow existing naming conventions
- [x] Changes are backwards compatible (if applicable)
- [ ] Tests added for new functionality (N/A — GitHub Actions workflows
are validated by pipeline execution)

### AI Artifact Contributions
<!-- If contributing an agent, prompt, instruction, or skill, complete
these checks -->
- [ ] Used `/prompt-analyze` to review contribution
- [ ] Addressed all feedback from `prompt-builder` review
- [ ] Verified contribution follows common standards and type-specific
requirements

### Required Automated Checks

The following validation commands must pass before merging:

- [x] Markdown linting: `npm run lint:md`
- [x] Spell checking: `npm run spell-check`
- [x] Frontmatter validation: `npm run lint:frontmatter`
- [x] Skill structure validation: `npm run validate:skills`
- [x] Link validation: `npm run lint:md-links`
- [x] PowerShell analysis: `npm run lint:ps`
- [x] YAML/actionlint validation: `npm run lint:yaml`
- [x] Action version consistency: `npm run lint:version-consistency`
- [x] Plugin freshness: `npm run plugin:generate`

## Security Considerations
<!-- ⚠️ WARNING: Do not commit sensitive information such as API keys,
passwords, or personal data -->
- [x] This PR does not contain any sensitive or NDA information
- [ ] Any new dependencies have been reviewed for security issues (N/A —
no dependency changes)
- [ ] Security-related scripts follow the principle of least privilege
(N/A — no security scripts modified)

## Additional Notes

The gitleaks workflow respects a `.gitleaksignore` file when present,
allowing suppression of known findings. No `.gitleaksignore` currently
exists in the repository. If pre-existing secrets are detected during
the first pipeline run, create a `.gitleaksignore` at the repository
root with the finding fingerprints to suppress them.

---------

Co-authored-by: Bill Berry <wbery@microsoft.com>

Author: WilliamBerryiii

.github/workflows/gitleaks-scan.yml

@@ -0,0 +1,147 @@
+name: Gitleaks Secret Scan
+
+on:
+  workflow_call:
+    inputs:
+      soft-fail:
+        description: 'Whether to continue on secret detection'
+        required: false
+        type: boolean
+        default: false
+      upload-sarif:
+        description: 'Whether to upload SARIF results to Security tab'
+        required: false
+        type: boolean
+        default: false
+      upload-artifact:
+        description: 'Whether to upload results as artifact'
+        required: false
+        type: boolean
+        default: true
+      log-opts:
+        description: 'Extra git log options passed to gitleaks (e.g. a revision range to scope the scan)'
+        required: false
+        type: string
+        default: ''
+
+permissions:
+  contents: read
+
+jobs:
+  scan:
+    name: Gitleaks Secret Scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Download and verify gitleaks
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          GITLEAKS_VERSION="8.30.0"
+          GITLEAKS_SHA256="79a3ab579b53f71efd634f3aaf7e04a0fa0cf206b7ed434638d1547a2470a66e"
+          GITLEAKS_URL="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
+          GITLEAKS_TARBALL="gitleaks.tar.gz"
+
+          echo "Downloading gitleaks v${GITLEAKS_VERSION}..."
+          curl -fsSL -o "${GITLEAKS_TARBALL}" "${GITLEAKS_URL}"
+
+          echo "Verifying SHA256 checksum..."
+          echo "${GITLEAKS_SHA256}  ${GITLEAKS_TARBALL}" | sha256sum -c -
+
+          echo "Extracting gitleaks binary..."
+          tar -xzf "${GITLEAKS_TARBALL}" gitleaks
+          chmod +x gitleaks
+
+          echo "Gitleaks version:"
+          ./gitleaks version
+
+      - name: Run gitleaks scan
+        id: gitleaks
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          mkdir -p logs
+
+          SCAN_ARGS=(
+            "git"
+            "--report-format" "sarif"
+            "--report-path" "logs/gitleaks-results.sarif"
+            "--redact"
+            "--log-level" "info"
+          )
+
+          LOG_OPTS="${{ inputs.log-opts }}"
+          if [ -n "$LOG_OPTS" ]; then
+            SCAN_ARGS+=("--log-opts=$LOG_OPTS")
+            echo "Scoping scan with log-opts: $LOG_OPTS"
+          fi
+
+          # Respect .gitleaksignore for pre-existing secrets
+          if [ -f ".gitleaksignore" ]; then
+            echo "Found .gitleaksignore — known secrets will be suppressed."
+          fi
+
+          echo "Running gitleaks scan..."
+          EXIT_CODE=0
+          ./gitleaks "${SCAN_ARGS[@]}" || EXIT_CODE=$?
+
+          if [ "$EXIT_CODE" -eq 0 ]; then
+            echo "No secrets detected."
+            echo "leaks-found=false" >> "$GITHUB_OUTPUT"
+          elif [ "$EXIT_CODE" -eq 1 ]; then
+            echo "::warning::Gitleaks detected secrets in the repository."
+            echo "leaks-found=true" >> "$GITHUB_OUTPUT"
+            if [ "${{ inputs.soft-fail }}" != "true" ]; then
+              echo "::error::Secret scanning failed. Review detected secrets in logs/gitleaks-results.sarif"
+              exit 1
+            fi
+          else
+            echo "::error::Gitleaks encountered an unexpected error (exit code: $EXIT_CODE)"
+            exit "$EXIT_CODE"
+          fi
+
+      - name: Upload SARIF to Security tab
+        if: inputs.upload-sarif && always()
+        uses: github/codeql-action/upload-sarif@ce729e4d353d580e6cacd6a8cf2921b72e5e310a # v3.27.0
+        with:
+          sarif_file: logs/gitleaks-results.sarif
+          category: gitleaks
+        continue-on-error: true
+
+      - name: Upload scan results
+        if: inputs.upload-artifact && always()
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4.4.3
+        with:
+          name: gitleaks-results
+          path: logs/gitleaks-results.sarif
+          retention-days: 90
+
+      - name: Add job summary
+        if: always()
+        shell: bash
+        run: |
+          LEAKS_FOUND="${{ steps.gitleaks.outputs.leaks-found }}"
+          if [ "$LEAKS_FOUND" = "true" ]; then
+            STATUS="⚠️ Secrets Detected"
+          else
+            STATUS="✅ No Secrets Found"
+          fi
+
+          cat >> "$GITHUB_STEP_SUMMARY" <<EOF
+          ## Gitleaks Secret Scan Results
+
+          | Metric | Value |
+          |--------|-------|
+          | Status | $STATUS |
+
+          EOF

.github/workflows/main.yml

@@ -51,6 +51,17 @@ jobs:
       upload-sarif: true
       upload-artifact: true
 
+  gitleaks-scan:
+    name: Gitleaks Secret Scan
+    uses: ./.github/workflows/gitleaks-scan.yml
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      soft-fail: false
+      upload-sarif: true
+      upload-artifact: true
+
   pester-tests:
     name: PowerShell Tests
     uses: ./.github/workflows/pester-tests.yml
@@ -69,6 +80,7 @@ jobs:
       - markdown-lint
       - table-format
       - dependency-pinning-scan
+      - gitleaks-scan
       - pester-tests
     runs-on: ubuntu-latest
     outputs:

.github/workflows/pr-validation.yml

@@ -134,6 +134,18 @@ jobs:
       upload-sarif: true
       upload-artifact: false
 
+  gitleaks-scan:
+    name: Gitleaks Secret Scan
+    uses: ./.github/workflows/gitleaks-scan.yml
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      soft-fail: false
+      upload-sarif: true
+      upload-artifact: false
+      log-opts: '${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}'
+
   npm-audit:
     name: npm Security Audit
     runs-on: ubuntu-latest

.gitleaksignore

@@ -0,0 +1,25 @@
+# False positives: fake GitHub PAT 'ghp_test123456789' used as test fixture data
+# in Pester security test files for SHA pinning and staleness validation.
+# Rule: generic-api-key
+
+# Test-SHAStaleness.Tests.ps1
+1c9634d8334ebe8e88513f9a531b49d03590c307:scripts/tests/security/Test-SHAStaleness.Tests.ps1:generic-api-key:33
+1c9634d8334ebe8e88513f9a531b49d03590c307:scripts/tests/security/Test-SHAStaleness.Tests.ps1:generic-api-key:38
+1c9634d8334ebe8e88513f9a531b49d03590c307:scripts/tests/security/Test-SHAStaleness.Tests.ps1:generic-api-key:55
+1c9634d8334ebe8e88513f9a531b49d03590c307:scripts/tests/security/Test-SHAStaleness.Tests.ps1:generic-api-key:105
+
+# Update-ActionSHAPinning.Tests.ps1
+1c9634d8334ebe8e88513f9a531b49d03590c307:scripts/tests/security/Update-ActionSHAPinning.Tests.ps1:generic-api-key:60
+1c9634d8334ebe8e88513f9a531b49d03590c307:scripts/tests/security/Update-ActionSHAPinning.Tests.ps1:generic-api-key:92
+1c9634d8334ebe8e88513f9a531b49d03590c307:scripts/tests/security/Update-ActionSHAPinning.Tests.ps1:generic-api-key:143
+3a11b26086c43b9551e6a7b666ffb6aa5dd8a8d7:scripts/tests/security/Update-ActionSHAPinning.Tests.ps1:generic-api-key:93
+3a11b26086c43b9551e6a7b666ffb6aa5dd8a8d7:scripts/tests/security/Update-ActionSHAPinning.Tests.ps1:generic-api-key:127
+3a11b26086c43b9551e6a7b666ffb6aa5dd8a8d7:scripts/tests/security/Update-ActionSHAPinning.Tests.ps1:generic-api-key:193
+4ef6d20475e42b753c29846aa28489843e70a8ed:scripts/tests/security/Update-ActionSHAPinning.Tests.ps1:generic-api-key:256
+4ef6d20475e42b753c29846aa28489843e70a8ed:scripts/tests/security/Update-ActionSHAPinning.Tests.ps1:generic-api-key:488
+a02335e7c98e5f2e22b1921442e99f01c6781a19:scripts/tests/security/Update-ActionSHAPinning.Tests.ps1:generic-api-key:280
+a02335e7c98e5f2e22b1921442e99f01c6781a19:scripts/tests/security/Update-ActionSHAPinning.Tests.ps1:generic-api-key:511
+f7c9b9a6f776e6403f393adf90a67127f3fc3405:scripts/tests/security/Update-ActionSHAPinning.Tests.ps1:generic-api-key:791
+f7c9b9a6f776e6403f393adf90a67127f3fc3405:scripts/tests/security/Update-ActionSHAPinning.Tests.ps1:generic-api-key:869
+6b84a8e49193d266411df9e4b8e8b1be2369eed2:scripts/tests/security/Update-ActionSHAPinning.Tests.ps1:generic-api-key:792
+6b84a8e49193d266411df9e4b8e8b1be2369eed2:scripts/tests/security/Update-ActionSHAPinning.Tests.ps1:generic-api-key:874

docs/security/threat-model.md

@@ -723,11 +723,11 @@ These threats address ethical and responsible AI considerations aligned with Mic
 
 ### Vulnerability Management Controls
 
-| ID   | Control                         | Implementation             | Validates Against |
-|------|---------------------------------|----------------------------|-------------------|
-| VM-1 | Coordinated Disclosure          | SECURITY.md                | I-1               |
-| VM-2 | Secret Scanning                 | GitHub native              | I-1, I-2          |
-| VM-3 | Credential Persistence Disabled | persist-credentials: false | I-1, E-1          |
+| ID   | Control                         | Implementation                                      | Validates Against |
+|------|---------------------------------|-----------------------------------------------------|-------------------|
+| VM-1 | Coordinated Disclosure          | SECURITY.md                                         | I-1               |
+| VM-2 | Secret Scanning                 | GitHub native, gitleaks PR gate (gitleaks-scan.yml) | I-1, I-2          |
+| VM-3 | Credential Persistence Disabled | persist-credentials: false                          | I-1, E-1          |
 
 ## Assurance Argument
 
@@ -863,12 +863,13 @@ HVE Core documents integrations with Model Context Protocol servers. This sectio
 
 ### Validation Workflow Coverage
 
-| Workflow                        | Trigger            | Security Checks            |
-|---------------------------------|--------------------|----------------------------|
-| pr-validation.yml               | PR to main/develop | Pinning, npm audit, CodeQL |
-| codeql-analysis.yml             | Push, PR, weekly   | Static analysis            |
-| dependency-review.yml           | PR to main/develop | Vulnerability scanning     |
-| weekly-security-maintenance.yml | Sundays 2 AM UTC   | Pinning, staleness, CodeQL |
+| Workflow                        | Trigger            | Security Checks                      |
+|---------------------------------|--------------------|--------------------------------------|
+| pr-validation.yml               | PR to main/develop | Pinning, npm audit, CodeQL, gitleaks |
+| main.yml                        | Push to main       | Pinning, gitleaks                    |
+| codeql-analysis.yml             | Push, PR, weekly   | Static analysis                      |
+| dependency-review.yml           | PR to main/develop | Vulnerability scanning               |
+| weekly-security-maintenance.yml | Sundays 2 AM UTC   | Pinning, staleness, CodeQL           |
 
 ## References