Skip to content

Harden for open-sourcing: config-ize prod defaults + gitleaks secret scanning#1

Merged
sumitglobussoft merged 2 commits into
mainfrom
harden/oss-config-and-gitleaks
Jul 8, 2026
Merged

Harden for open-sourcing: config-ize prod defaults + gitleaks secret scanning#1
sumitglobussoft merged 2 commits into
mainfrom
harden/oss-config-and-gitleaks

Conversation

@sumitglobussoft

Copy link
Copy Markdown
Member

Two small hardening changes ahead of wider open-sourcing.

1. Remove hardcoded prod/personal defaults (config commit)

  • server/agents_runtime.py no longer defaults the agents-owner to a personal email — reads AGENTS_OWNER_EMAIL, falling back to GLOBUS_FIRST_MEMBER_EMAIL (the seed member). If neither is set, owner-only agents stay locked (safe default).
  • server/vault_stats.py no longer pins the vault auto-build dir to /opt/buildwithsumit/vault/auto — reads GLOBUS_VAULT_AUTO_DIR (default /opt/globus/vault/auto).
  • Both knobs documented in config/.env.example.

2. gitleaks secret scanning (ops commit)

  • .github/workflows/gitleaks.yml — runs the gitleaks CLI (official Docker image) on every push + PR over full history. Uses the CLI rather than gitleaks-action because the Action requires a paid license for org-owned repos; the CLI is free.
  • .pre-commit-config.yaml — blocks leaks locally before commit.
  • .gitleaks.toml — extends the default ruleset; allowlists the sanitized example files + public identifiers.
  • CONTRIBUTING.md — documents the never-commit-secrets rule + hook install.

No secrets were found in the repo (tree or history) during the audit that prompted this — this is preventive.

The public build hardcoded a personal email (agents-owner fallback) and a
production vault path (/opt/buildwithsumit/vault/auto). Read both from
config instead so a fresh open-source deploy carries no personal or
prod-specific defaults:
  - agents owner: AGENTS_OWNER_EMAIL, falling back to GLOBUS_FIRST_MEMBER_EMAIL
    (the seed member). If neither is set, owner-only agents stay locked.
  - vault auto-build dir: GLOBUS_VAULT_AUTO_DIR, default /opt/globus/vault/auto.
Both knobs documented in config/.env.example.
Guard against a credential ever landing in this public repo.
  - .github/workflows/gitleaks.yml: runs the gitleaks CLI via its official
    Docker image on every push and PR over full history. Uses the CLI (not
    gitleaks-action) because the Action requires a paid license for
    org-owned repos; the CLI is free.
  - .pre-commit-config.yaml: blocks leaks locally before commit.
  - .gitleaks.toml: extends the default ruleset, allowlists the sanitized
    example files + public identifiers to avoid false positives.
  - CONTRIBUTING.md: documents the never-commit-secrets rule + hook install.
@sumitglobussoft
sumitglobussoft merged commit 143f3dc into main Jul 8, 2026
4 checks passed
@sumitglobussoft
sumitglobussoft deleted the harden/oss-config-and-gitleaks branch July 8, 2026 08:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants