Skip to content

✨ Add validate-pr-secret workflow with gitleaks-action #34

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tomgrv merged 3 commits into from
Oct 8, 2025
Merged

✨ Add validate-pr-secret workflow with gitleaks-action #34

tomgrv merged 3 commits into from
Oct 8, 2025

Conversation

Copy link
Contributor

Copilot AI commented Oct 8, 2025
edited
Loading

Description

This PR adds automated secret scanning to pull requests using the gitleaks-action. This ensures that sensitive information like API keys, passwords, and tokens are not accidentally committed to the repository.

Changes

  • Added .github/workflows/validate-pr-secret.yml workflow that:

    • Runs automatically on all pull request events (opened, edited, reopened, synchronize)
    • Uses gitleaks/gitleaks-action@v2 to scan for secrets
    • Scans the full git history with fetch-depth: 0 for comprehensive detection
    • Follows the same pattern as existing PR validation workflows in the repository

  • Added src/githooks/stubs/.github/workflows/validate-pr-secret.yml stub template:

    • Provides the same secret scanning workflow as a template for projects using the githooks devcontainer feature
    • Allows projects to easily adopt secret scanning by including the githooks feature

Benefits

  • Automated Security: Catches accidentally committed secrets before they reach the main branch
  • Consistent Validation: Aligns with existing PR validation workflows (validate-pr-format.yml)
  • Zero Configuration: Works out-of-the-box with gitleaks' default secret detection rules
  • Reusable Template: Available as a stub for projects using this devcontainer feature

Example

When a pull request is opened or updated, the workflow will automatically scan for common secret patterns including:

  • AWS access keys
  • GitHub tokens
  • Private keys
  • Database credentials
  • API keys from popular services

If secrets are detected, the workflow will fail and provide details about the findings, allowing developers to address the issue before merging.

Fixes #33

Original prompt

This section details on the original issue you should resolve

<issue_title>Add validate-pr-secret</issue_title>
<issue_description>Check pr secrets with https://github.com/gitleaks/gitleaks-action</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #33

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

@tomgrv
✨ Add validate-pr-secret workflow with gitleaks-action
a9a3240 
Co-authored-by: tomgrv <1809566+tomgrv@users.noreply.github.com>
Copilot AI changed the title [WIP] Add validate PR secret check using gitleaks ✨ Add validate-pr-secret workflow with gitleaks-action Oct 8, 2025
Copilot AI requested a review from tomgrv October 8, 2025 19:17
tomgrv
tomgrv requested changes Oct 8, 2025
View reviewed changes
Copy link
Owner

@tomgrv tomgrv left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot This must also be in a stub

@tomgrv
Copy link
Owner

tomgrv commented Oct 8, 2025

@copilot This must also be in a stub

@tomgrv
✨ Add validate-pr-secret workflow to githooks stubs
55696a6 
Co-authored-by: tomgrv <1809566+tomgrv@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Oct 8, 2025

@copilot This must also be in a stub

Added the workflow to src/githooks/stubs/.github/workflows/validate-pr-secret.yml (commit a9a3240)

Copilot AI requested a review from tomgrv October 8, 2025 19:53
@tomgrv tomgrv marked this pull request as ready for review October 8, 2025 19:57
Copilot AI review requested due to automatic review settings October 8, 2025 19:57
Copilot AI reviewed Oct 8, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds automated secret scanning to pull requests using the gitleaks-action to prevent accidentally committed sensitive information like API keys, passwords, and tokens from reaching the main branch.

  • Adds GitHub workflow for automated secret detection on all PR events
  • Provides reusable template in githooks feature stubs for downstream projects
  • Integrates with existing PR validation workflow patterns in the repository

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/validate-pr-secret.yml Main workflow that runs gitleaks secret scanning on all pull request events
src/githooks/stubs/.github/workflows/validate-pr-secret.yml Template workflow for projects using the githooks devcontainer feature

@tomgrv tomgrv changed the base branch from main to develop October 8, 2025 19:58
@tomgrv tomgrv merged commit 0d621cb into develop Oct 8, 2025
4 of 8 checks passed
@tomgrv tomgrv deleted the copilot/add-validate-pr-secret branch October 9, 2025 09:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@tomgrv tomgrv tomgrv approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@tomgrv tomgrv

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add validate-pr-secret

2 participants

@tomgrv