Add stack secret scanning guardrails#4
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d635e94915
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| local file="$1" | ||
|
|
||
| ignored_path "$file" && return 0 | ||
| binary_or_unreadable "$file" || return 0 |
There was a problem hiding this comment.
Because binary_or_unreadable is evaluated before scan_path_name, any binary credential file that the filename rules explicitly list (.p12, .pfx, .kdbx, etc.) returns here before its extension is reported. In a PR that adds a real binary cert/key store, this job would pass even though the filename rule intends to block it; run scan_path_name before the text/binary guard and only skip scan_line for binary files.
Useful? React with 👍 / 👎.
| } | ||
|
|
||
| if (!placeholder($0) && | ||
| lower ~ /(api[_-]?key|access[_-]?token|refresh[_-]?token|client[_-]?secret|password|private[_-]?key)[[:space:]]*[:=][[:space:]]*["'\''"]?[a-z0-9_.\/+=-]{16,}/) { |
There was a problem hiding this comment.
The assignment regex requires : or = immediately after the key name, so a normal JSON config line like "api_key": "..." has a quote between api_key and : and is not flagged. In a PR adding generic tokens/passwords to JSON files that do not match a provider-specific pattern, both the stack scanner and the matching Gitleaks rule miss the secret-looking assignment; allow an optional closing quote before the separator.
Useful? React with 👍 / 👎.
1 participant
Summary
Security scanworkflow that runs Gitleaks and a stack-specific sensitive content scanner on pull requests and pushes tomain..gitleaks.tomland.pre-commit-config.yamlso local hooks and CI share the same secret-scanning policy.scripts/security/scan-sensitive-content.shfor repo-specific leak risks: local machine paths, Codex session artifacts, credential-looking config assignments, and household or finance-lane references.stack-refresh-pr-modedocs from absolute local paths to portable~paths.Verification
scripts/security/scan-sensitive-content.shgo run github.com/zricethezav/gitleaks/[email protected] dir --redact --config .gitleaks.toml .pipx run pre-commit run --all-filesgit diff --cached --checkNotes