Skip to content

fix(compliance): 2026-05-11 audit findings for .github repo #243

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
don-petry wants to merge 42 commits into
base: main
Choose a base branch
from
+20 −0
Open

fix(compliance): 2026-05-11 audit findings for .github repo #243

Changes from all commits
Commits
Show all changes
42 commits
Select commit Hold shift + click to select a range
d941634
fix(compliance): add gitleaks secret-scan job and pin rust-toolchain SHA
github-actions[bot] May 11, 2026
33616ce
fix(ci): add GITLEAKS_LICENSE env var to secret-scan job
github-actions[bot] May 11, 2026
4ba2436
Merge branch 'main' into claude/issue-241-20260511-1243
github-actions[bot] May 13, 2026
ee01ab7
Merge branch 'main' into claude/issue-241-20260511-1243
donpetry-bot May 14, 2026
eaca464
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 14, 2026
31fc75a
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 14, 2026
2acf728
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 15, 2026
6f7b114
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 15, 2026
5c710d9
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 16, 2026
477ead0
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 16, 2026
3098492
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 16, 2026
885796a
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 16, 2026
23070b6
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 16, 2026
3ebc982
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 17, 2026
7fa71b3
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 17, 2026
0e38ea3
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 17, 2026
19bbf04
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 17, 2026
77fb008
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 17, 2026
6652f0a
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 17, 2026
f42a46f
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 17, 2026
5a6e5b9
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 17, 2026
649c53f
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 17, 2026
1cb4f1c
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 17, 2026
bfac690
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 17, 2026
4a914f7
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 17, 2026
6b92479
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 17, 2026
17a635d
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 18, 2026
adcc50f
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 19, 2026
0f65673
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 19, 2026
5d19d98
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 20, 2026
462707a
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 21, 2026
555d00b
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 21, 2026
7eb40c3
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 21, 2026
9c49cc8
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 21, 2026
a23e874
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 21, 2026
aa0dac4
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 24, 2026
f1b63b8
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 24, 2026
75011ea
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 24, 2026
4abf432
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 24, 2026
ab13680
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 26, 2026
bf0f69b
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 31, 2026
b3f4266
Merge branch 'main' into claude/issue-241-20260511-1243
don-petry May 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,26 @@ jobs:
echo "No shell scripts found — skipping"
fi

secret-scan:
name: Secret scan (gitleaks)
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout (full history)
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0

- name: Run gitleaks
uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
with:
args: detect --source . --redact --verbose --exit-code 1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
Comment on lines +95 to +101
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Comment on lines +95 to +101
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# 1) Confirm gitleaks-action v2.3.9 has no `args` input.
curl -sSL "https://raw.githubusercontent.com/gitleaks/gitleaks-action/ff98106e4c7b2bc287b24eaf42907196329070c7/action.yml"

# 2) Check whether a .gitleaks.toml (or gitleaks.toml) is committed.
fd -HI -t f -a 'gitleaks\.toml$'

Repository: petry-projects/.github

Length of output: 609

🏁 Script executed:

#!/bin/bash
# Fetch the full action.yml and search for inputs section
curl -sSL "https://raw.githubusercontent.com/gitleaks/gitleaks-action/ff98106e4c7b2bc287b24eaf42907196329070c7/action.yml" | head -100

Repository: petry-projects/.github

Length of output: 575

🏁 Script executed:

#!/bin/bash
# Fetch the full action.yml without truncation
curl -sSL "https://raw.githubusercontent.com/gitleaks/gitleaks-action/ff98106e4c7b2bc287b24eaf42907196329070c7/action.yml"

Repository: petry-projects/.github

Length of output: 575

🏁 Script executed:

#!/bin/bash
# Check if action.yml contains an inputs section
curl -sSL "https://raw.githubusercontent.com/gitleaks/gitleaks-action/ff98106e4c7b2bc287b24eaf42907196329070c7/action.yml" | grep -i "inputs"

Repository: petry-projects/.github

Length of output: 48

🏁 Script executed:

#!/bin/bash
# Check the README for the action to confirm config file behavior
curl -sSL "https://raw.githubusercontent.com/gitleaks/gitleaks-action/ff98106e4c7b2bc287b24eaf42907196329070c7/README.md" | head -150

Repository: petry-projects/.github

Length of output: 7944

Critical: args is not a recognized input for gitleaks/gitleaks-action@v2.

The action's action.yml declares no inputs: section—configuration is taken entirely from environment variables. The args: detect --source . --redact --verbose --exit-code 1 will be silently ignored, losing flags like --redact and --verbose.

Additionally, the action auto-detects only gitleaks.toml (without dot prefix) at the repo root. A .gitleaks.toml file exists in this repo but will not be loaded; its allowlist and custom rules will be silently dropped unless explicitly set via GITLEAKS_CONFIG.

🛠 Fix — remove unsupported `args` and wire config via env 
       - name: Run gitleaks
         uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
-        with:
-          args: detect --source . --redact --verbose --exit-code 1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
+          GITLEAKS_CONFIG: .gitleaks.toml
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 95 - 101, Remove the unsupported args
key from the gitleaks step and instead pass flags and config via environment
variables: delete the args: line under the
gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 step, add env
entries GITLEAKS_CONFIG: ".gitleaks.toml" to point to the existing config file,
and add GITLEAKS_ARGS: "detect --source . --redact --verbose --exit-code 1"
(preserving GITHUB_TOKEN and GITLEAKS_LICENSE) so the action receives the same
flags and loads the .gitleaks.toml allowlist and rules.


agent-security:
name: Agent Security Scan
runs-on: ubuntu-latest
Expand Down