feat: shared gitleaks + privacy-scan (CI reusables + pre-commit hook)#13
Merged
Conversation
Centralize the secret/privacy scanning so all repos share one source of truth instead of agent-driven manual review: - gitleaks-reusable.yml: secret scan over full history (workflow_call), lifted from docker_infra's local gitleaks.yml. - privacy-scan-reusable.yml + scripts/privacy-scan.sh: fail if tracked files contain private-infrastructure markers (private IPs, .local hosts, host paths, key/secret markers). Built-in patterns are GENERIC (safe for this public repo); callers pass their own private hostnames via the extra-patterns input / EXTRA_PATTERNS env, so secret-ish values stay in the private caller. The reusable checks out the script from this repo at job.workflow_sha so the rules cannot be tampered with by the calling repo's tree. - .pre-commit-hooks.yaml: exposes the same script as a pre-commit hook, so the local hook and CI enforce identical rules. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
Automate the secret/privacy scanning that was previously done by hand, and centralize it so every repo shares one rule set.
New
gitleaks-reusable.yml— secret scan over full history (workflow_call), lifted from docker_infra's localgitleaks.yml.scripts/privacy-scan.sh— fails if tracked files contain private-infrastructure markers (private IP ranges,.localhosts, host paths like/home/*/volume*/etc/komodo/, key/secret markers). Built-in patterns are generic and safe for this public repo.privacy-scan-reusable.yml— runs the script. Callers pass their own private hostnames via theextra-patternsinput →EXTRA_PATTERNSenv, so secret-ish values live only in the private caller, never here. The script is checked out from this repo atjob.workflow_sha(untamperable by the caller's tree)..pre-commit-hooks.yaml— exposes the same script as a pre-commit hook, so local hook and CI enforce identical rules.Design note
privacy-scan.shis the single source of truth, shared by CI and the local pre-commit hook. Private hostnames are never hardcoded in this public repo — they flow in viaEXTRA_PATTERNS.Validation
Follow-ups
.pre-commit-config.yamlreferencing this hook where wanted.🤖 Generated with Claude Code