chore(build): add gitleaks secret scanning workflow#137
Conversation
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 28 minutes and 32 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughAdds a new GitHub Actions workflow Changes
Sequence Diagram(s)sequenceDiagram
participant GitHub as GitHub Events
participant Runner as Actions Runner
participant Checkout as actions/checkout
participant Gitleaks as gitleaks/gitleaks-action
GitHub->>Runner: push to main / pull_request
Runner->>Checkout: checkout repository (fetch-depth: 0)
Runner->>Gitleaks: run action (pinned commit) with env: GITHUB_TOKEN, GITLEAKS_LICENSE
Gitleaks->>Runner: scan repository for secrets
Gitleaks-->>GitHub: report results (action outcome)
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
sklarsa
changed the title
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/gitleaks.yml:
- Around line 4-5: The workflow runs on pull_request and unconditionally sets
the GITLEAKS_LICENSE env for gitleaks-action@v2, causing forked PRs to fail
because secrets aren't available; update the workflow to detect external PRs
(use github.event.pull_request.head.repo.fork or github.actor !=
repository_owner) and conditionally run the licensed gitleaks step only when the
secret is present/PR is internal, otherwise run an alternative non-secret scan
or skip the licensed step; reference the GITLEAKS_LICENSE environment entry and
the gitleaks-action@v2 step when adding the if: condition and a fallback step.
- Around line 13-16: The workflow uses movable tags for actions/checkout@v4 and
gitleaks/gitleaks-action@v2; replace those tag refs with the corresponding full
commit SHAs (the immutable full-length commit IDs) for both "uses" entries so
the workflow pins exact action commits (locate the actions/checkout and
gitleaks/gitleaks-action references in the YAML and substitute the tag@<sha>
form), then verify the workflow still passes and that secrets consumed by
gitleaks remain scoped as before.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: c7667065-1566-4a91-8528-40d46606bdbc
📒 Files selected for processing (1)
.github/workflows/gitleaks.yml
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| - uses: gitleaks/gitleaks-action@v2 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/gitleaks.ymlRepository: questdb/c-questdb-client
Length of output: 568
🌐 Web query:
GitHub Actions security hardening full commit SHA pin action references best practice
💡 Result:
Best practice: pin GitHub Actions to a full commit SHA
- Pin all third‑party actions to an immutable ref—preferably a full, 40‑char commit SHA (not a branch like
main/master, and not a mutable tag likev1). GitHub explicitly calls SHA pinning “the only way to use an action as an immutable release,” and recommends it to reduce supply‑chain risk (tags can be moved). [1] - Choose the SHA that corresponds to a tagged release, and add a comment with the human version to keep updates manageable (and friendlier for update tooling). Example: [2]
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- Verify the SHA comes from the action’s official repository (not a fork) before pinning. [1]
- Enforce SHA pinning via policy (enterprise/org/repo). GitHub supports requiring actions to be pinned to full-length SHAs, and this can be enforced in Actions policies (and via API fields like
sha_pinning_required). [3][4] - Also consider pinning reusable workflow references, and/or restrict which actions/workflows are allowed to run using “allowed actions and reusable workflows” policy controls. [4][5]
Why this is recommended
GitHub recommends SHA pinning to proactively limit the impact of a compromised dependency in workflows. [5]
Sources
[1] GitHub Docs — Security hardening for GitHub Actions (Pin actions to a full length commit SHA) (docs.github.com)
[2] GitHub Well-Architected — Securing GitHub Actions Workflows (example of SHA pin + version comment) (wellarchitected.github.com)
[3] GitHub Enterprise Cloud Docs — Enforcing policies for GitHub Actions in your enterprise (require full-length SHA option) (docs.github.com)
[4] GitHub Docs — Disabling or limiting GitHub Actions for your organization (allow-list syntax; tag-or-SHA) (docs.github.com)
[5] GitHub Changelog — Actions policy now supports blocking and SHA pinning actions (recommends pinning to specific commit SHA) (github.blog)
Citations:
- 1: https://docs.github.com/en/actions/how-tos/security-for-github-actions/security-guides/security-hardening-for-github-actions?learn=getting_started&learnProduct=actions&utm_source=openai
- 2: https://wellarchitected.github.com/library/application-security/recommendations/actions-security/?utm_source=openai
- 3: https://docs.github.com/github-ae%40latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise?utm_source=openai
- 4: https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization?from=20423&from_column=20423&utm_source=openai
- 5: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/?utm_source=openai
Pin action refs to full commit SHAs.
Both steps are using movable tags, and the gitleaks step receives repository secrets. GitHub's secure-use guidance recommends full-length commit SHAs because that is the only immutable way to reference an action release and it reduces tag-retargeting risk. (docs.github.com)
🔒 Suggested hardening
- - uses: actions/checkout@v4
+ - uses: actions/checkout@<verified-full-length-commit-sha> # v4
with:
fetch-depth: 0
- - uses: gitleaks/gitleaks-action@v2
+ - uses: gitleaks/gitleaks-action@<verified-full-length-commit-sha> # v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gitleaks.yml around lines 13 - 16, The workflow uses
movable tags for actions/checkout@v4 and gitleaks/gitleaks-action@v2; replace
those tag refs with the corresponding full commit SHAs (the immutable
full-length commit IDs) for both "uses" entries so the workflow pins exact
action commits (locate the actions/checkout and gitleaks/gitleaks-action
references in the YAML and substitute the tag@<sha> form), then verify the
workflow still passes and that secrets consumed by gitleaks remain scoped as
before.
There was a problem hiding this comment.
♻️ Duplicate comments (1)
.github/workflows/gitleaks.yml (1)
13-13:⚠️ Potential issue | 🟠 MajorPin
actions/checkoutto a full commit SHA.The gitleaks action was correctly pinned (line 16), but
actions/checkout@v4still uses a movable tag. For supply-chain security, both actions should be pinned to immutable commit SHAs.🔒 Suggested fix
- - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gitleaks.yml at line 13, The workflow uses a movable tag for the checkout action ("actions/checkout@v4"); replace that tag with the full immutable commit SHA to pin the action (same approach already used for the gitleaks action). Locate the job step that references "actions/checkout@v4" and update it to the corresponding full commit SHA from the actions/checkout repository (get the SHA from the official GitHub repo/releases or the specific release tag), ensuring the checkout step now uses that SHA string instead of "@v4".
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/gitleaks.yml:
- Line 13: The workflow uses a movable tag for the checkout action
("actions/checkout@v4"); replace that tag with the full immutable commit SHA to
pin the action (same approach already used for the gitleaks action). Locate the
job step that references "actions/checkout@v4" and update it to the
corresponding full commit SHA from the actions/checkout repository (get the SHA
from the official GitHub repo/releases or the specific release tag), ensuring
the checkout step now uses that SHA string instead of "@v4".
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 77a1674c-8da0-4bc0-b7e9-38285ed64f3d
📒 Files selected for processing (1)
.github/workflows/gitleaks.yml
1 participant
Summary
gitleaks/gitleaks-action@v2withGITLEAKS_LICENSEsecretReference: questdb/questdb#6863
Summary by CodeRabbit