Skip to content

chore: add repository secret-scanning guardrails#49

Merged
ausbru87 merged 4 commits into
mainfrom
chore/repo-secret-guardrails
Jun 10, 2026
Merged

chore: add repository secret-scanning guardrails#49
ausbru87 merged 4 commits into
mainfrom
chore/repo-secret-guardrails

Conversation

@ausbru87

@ausbru87 ausbru87 commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator

Adds repository-wide secret-scanning guardrails. There is currently no .github/ directory or CI in this repo; this introduces gitleaks-based scanning end to end.

Changes

  1. .gitleaks.toml (repo root): extends the default gitleaks rule set (useDefault = true) with an allowlist for placeholder/template files (*.example.*, secrets.example.ya?ml, the docs/ tree) and a narrow regexes allowlist for the two synthetic in-cluster demo Postgres literals (demo_pg_admin_pw, mcp_ro_demo_pw).
  2. .pre-commit-config.yaml (repo root): a single opt-in gitleaks hook (official pre-commit repo, tag v8.21.2). Developers enable it with pre-commit install.
  3. .github/workflows/secret-scan.yml: GitHub Actions workflow running gitleaks/gitleaks-action@v2 on pull_request and on push to main. Checkout uses fetch-depth: 0; GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false and no license env since this is a single repo.
  4. deploy/CONVENTIONS.md: adds a "Secrets management" section documenting that real secrets live in AWS Secrets Manager under usgov-coderdemo/*, synced to Kubernetes by ESO via IRSA, with placeholders only in *.example.yaml and gitleaks running in pre-commit and CI.

Note

The .gitleaks.toml synthetic-credential allowlist (demo_pg_admin_pw, mcp_ro_demo_pw) is temporary. It keeps CI green on current main while those throwaway demo creds still exist. Once chore/datastore-mcp-eso-secrets migrates them to ESO and merges, that regexes entry can be deleted.

Generated by Coder Agents, on behalf of @ausbru87.

ausbru87 added 2 commits June 10, 2026 04:02
@ausbru87
chore: add repository secret-scanning guardrails
9c6d040 
Add gitleaks-based secret scanning with a shared config, an opt-in
pre-commit hook, and a CI workflow that runs on pull requests and
pushes to main. Document the secrets-management convention in
deploy/CONVENTIONS.md.

The .gitleaks.toml synthetic-credential allowlist is temporary and can
be removed once chore/datastore-mcp-eso-secrets migrates those demo
creds to ESO.

Generated by Coder Agents.
@ausbru87
ci: run gitleaks OSS binary instead of org-licensed action
ed74703 
The gitleaks/gitleaks-action@v2 wrapper refuses to run for GitHub
organizations without a paid GITLEAKS_LICENSE. Install and run the
MIT-licensed gitleaks CLI directly and scan the checked-out tree.

Generated by Coder Agents.
@ausbru87 ausbru87 mentioned this pull request Jun 10, 2026
Merged
ausbru87 added 2 commits June 10, 2026 04:41
@ausbru87
Merge main into chore/repo-secret-guardrails
61e719b 
Generated by Coder Agents.
@ausbru87
chore: drop temporary synthetic-credential allowlist from gitleaks co…
02ca3e3 
…nfig

The demo_pg_admin_pw / mcp_ro_demo_pw literals were removed from the tree when
the datastore-mcp credentials moved to ESO, so the allowlist is no longer
needed.

Generated by Coder Agents.
@ausbru87 ausbru87 merged commit 1fed25b into main Jun 10, 2026
1 check passed
@ausbru87 ausbru87 deleted the chore/repo-secret-guardrails branch June 10, 2026 04:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ausbru87