Skip to content

chore: run parallel secret scanners (detect-secrets, gitleaks, trufflehog)#164

Merged
vredchenko merged 4 commits intomainfrom
chore/switch-to-gitleaks
Mar 10, 2026
Merged

chore: run parallel secret scanners (detect-secrets, gitleaks, trufflehog)#164
vredchenko merged 4 commits intomainfrom
chore/switch-to-gitleaks

Conversation

@vredchenko
Copy link
Collaborator

@vredchenko vredchenko commented Feb 20, 2026
edited
Loading

Summary

  • Run detect-secrets, gitleaks, and trufflehog as parallel non-blocking CI jobs
  • All jobs use continue-on-error: true so scanner issues don't block PRs while we evaluate side-by-side
  • Gitleaks CLI (pinned v8.30.0) produces SARIF report artifact
  • Trufflehog (pinned v3.93.8) runs with --only-verified, produces JSON report artifact
  • Add .gitleaks.toml allowlist for docs/, claude-code/, k8s/secret.example.yaml
  • Pre-commit: gitleaks + trufflehog added as pre-push hooks
  • Lefthook: gitleaks + trufflehog added as pre-push commands

Context

Part of a 4-repo rollout (smartem-decisions#228, smartem-frontend#55, fandanGO-cryoem-dls#10). Running scanners in parallel lets us compare coverage and false-positive rates before committing to one.

ADR updates deferred to a follow-up PR.

Ref: #139

Test plan

  • CI shows 3 scanner jobs: detect-secrets, gitleaks (CLI), trufflehog
  • All 3 jobs pass (or fail non-blocking)
  • Report artifacts uploaded for gitleaks (SARIF) and trufflehog (JSON)

@github-actions github-actions bot added documentation Improvements or additions to project documentation devops CI/CD, deployment, infrastructure, or tooling work labels Feb 20, 2026
@vredchenko vredchenko added admin Project maintenance, dependency updates, or housekeeping security Security fixes, audits, or vulnerability remediation labels Feb 20, 2026
@vredchenko vredchenko mentioned this pull request Feb 20, 2026
Open
4 tasks
@vredchenko
chore(ci): make detect-secrets non-blocking
7f96fd0 
Run detect-secrets with continue-on-error to avoid blocking CI while
parallel scanners are introduced. Remove workflow_call trigger (ci.yml
does not call this workflow). Rename artifact for clarity.
@vredchenko
chore(ci): add gitleaks as parallel secret scanner
ffd9c53 
Add gitleaks CLI job to the leaked secrets scan workflow, running in
parallel with detect-secrets. Add .gitleaks.toml with allowlist for
docs, claude-code, and k8s example secrets. Wire up pre-commit and
lefthook pre-push hooks.
@vredchenko
chore(ci): add trufflehog as parallel secret scanner
893f214 
Add trufflehog job to the leaked secrets scan workflow for verified-only
secret detection. Wire up pre-commit and lefthook pre-push hooks.
@vredchenko vredchenko force-pushed the chore/switch-to-gitleaks branch from 5fa269a to 893f214 Compare March 10, 2026 14:14
@vredchenko vredchenko changed the title feat: replace detect-secrets with gitleaks chore: run parallel secret scanners (detect-secrets, gitleaks, trufflehog) Mar 10, 2026
@vredchenko vredchenko marked this pull request as ready for review March 10, 2026 14:21
@vredchenko vredchenko merged commit 2e59226 into main Mar 10, 2026
9 checks passed
@vredchenko vredchenko deleted the chore/switch-to-gitleaks branch March 10, 2026 14:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

admin Project maintenance, dependency updates, or housekeeping devops CI/CD, deployment, infrastructure, or tooling work documentation Improvements or additions to project documentation security Security fixes, audits, or vulnerability remediation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vredchenko