feat(workflows): add gitleaks binary-based secret scanning as PR gate#734
Merged
WilliamBerryiii merged 5 commits intomainfrom Feb 23, 2026
Merged
feat(workflows): add gitleaks binary-based secret scanning as PR gate#734WilliamBerryiii merged 5 commits intomainfrom
WilliamBerryiii merged 5 commits intomainfrom
Conversation
- create gitleaks-scan.yml reusable workflow with download, verify, and scan - integrate gitleaks-scan into pr-validation.yml and main.yml pipelines - update threat model VM-2 control and workflow coverage table - generate SARIF output for GitHub Security tab integration 🔒 - Generated by Copilot
- remove unused scan-mode input that implied differential scanning capability - remove scan-mode display row from job summary 🔒 - Generated by Copilot
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files
|
Contributor
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
- suppress 18 generic-api-key findings from fake PAT 'ghp_test123456789' - all findings are in Pester security test files using mock tokens 🔒 - Generated by Copilot
agreaves-ms
approved these changes
Feb 23, 2026
katriendg
reviewed
Feb 23, 2026
added 2 commits
February 23, 2026 13:25
- add log-opts input to gitleaks-scan.yml reusable workflow - pass PR base..head revision range from pr-validation.yml - main pipeline retains full-history scan via empty default 🔍 - Generated by Copilot
This was referenced Feb 23, 2026
WilliamBerryiii
pushed a commit
that referenced
this pull request
Feb 28, 2026
## Pre-Release 3.1.44 ### ✨ Features - add Docusaurus 3 documentation site with GitHub Pages deployment (#680) - add workflow permissions validation for OpenSSF Scorecard compliance (#759) - add DT coach return path handoff to task-researcher (#591) (#758) - add DT subagent handoff workflow instructions (#592) (#757) - create dt-method-06-deep.instructions.md (#602) (#748) - create dt-method-05-deep.instructions.md (#747) - add DT-aware task-implementor context instructions (#755) - extract embedded PowerShell from workflows into testable scripts (#738) - add gitleaks binary-based secret scanning as PR gate (#734) - add SBOM generation, attestation, and diff tooling to release pipeline (#730) - add dt-learning-tutor agent for DT education (#662) - add DT image prompt generation guidance for Method 5 (#726) - add DT-aware task-reviewer review context (#714) - add dt-method-next routing prompt (#713) - create dt-method-04-deep.instructions.md (#709) - add Implementation Space exit handoff prompt for DT workflows (#708) - add Write-CIStepSummary markdown table to Test-SHAStaleness github output (#660) - add dt-handoff-solution-space prompt for Solution Spac… (#707) ### 🐛 Bug Fixes - update sidebar link color to meet WCAG AA contrast requirements (#814) - harden even/odd versioning against regression and syntax errors (#816) - replace even/odd versioning with SemVer -rc.N suffixes (#811) - ensure prerelease label exists before PR creation (#806) - replace Docusaurus favicons with Microsoft logo (#808) - add missing subagents and shared instructions to collection manifests (#804) - standardize file path conventions for copilot-tracking output (#784) - enforce project-scoped artifact isolation across DT files (#766) - add top-level permissions to copilot-setup-steps.yml (#760) - update broken file directives and markdown links after collection directory reorg (#743) - add pre-release companion pipeline with even/odd versioning (#735) - exclude auto-generated CHANGELOG.md from spell check (#756) - add job-level permissions to extension-publish.yml (#729) - resolve handoff dependencies using display names (#727) - add job-level permissions to validate-version in extension-publish-prerelease (#731) - replace parent-directory VS Code settings paths with per-subdirectory enumeration (#732) ### 📚 Documentation - add Design Thinking documentation and DT-to-RPI handoff (#789) - add customization guides for HVE Core artifacts (#772) - reconcile documentation against implementation (#771) - document accepted Token-Permissions risks and add lint:dependency-pinning (#763) - add Design Thinking section to hve-core-all collection description (#762) ### ♻️ Refactoring - move collection scripts from plugins to collections (#728) - remove duplicate git diff logic in frontmatter validator (#473) ### 🔧 Maintenance - bump basic-ftp from 5.0.5 to 5.2.0 (#780) - standardize script path references in SKILL.md files (#768) - bump the github-actions group across 1 directory with 2 updates (#752) --- *Managed automatically by pre-release workflow.* Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
WilliamBerryiii
pushed a commit
that referenced
this pull request
Feb 28, 2026
## Pre-Release 3.1.46 ### ✨ Features - add Docusaurus 3 documentation site with GitHub Pages deployment (#680) - add workflow permissions validation for OpenSSF Scorecard compliance (#759) - add DT coach return path handoff to task-researcher (#591) (#758) - add DT subagent handoff workflow instructions (#592) (#757) - create dt-method-06-deep.instructions.md (#602) (#748) - create dt-method-05-deep.instructions.md (#747) - add DT-aware task-implementor context instructions (#755) - extract embedded PowerShell from workflows into testable scripts (#738) - add gitleaks binary-based secret scanning as PR gate (#734) - add SBOM generation, attestation, and diff tooling to release pipeline (#730) - add dt-learning-tutor agent for DT education (#662) - add DT image prompt generation guidance for Method 5 (#726) - add DT-aware task-reviewer review context (#714) - add dt-method-next routing prompt (#713) - create dt-method-04-deep.instructions.md (#709) - add Implementation Space exit handoff prompt for DT workflows (#708) - add Write-CIStepSummary markdown table to Test-SHAStaleness github output (#660) - add dt-handoff-solution-space prompt for Solution Spac… (#707) ### 🐛 Bug Fixes - update prerelease publish to use even/odd convention (#822) - update sidebar link color to meet WCAG AA contrast requirements (#814) - harden even/odd versioning against regression and syntax errors (#816) - replace even/odd versioning with SemVer -rc.N suffixes (#811) - ensure prerelease label exists before PR creation (#806) - replace Docusaurus favicons with Microsoft logo (#808) - add missing subagents and shared instructions to collection manifests (#804) - standardize file path conventions for copilot-tracking output (#784) - enforce project-scoped artifact isolation across DT files (#766) - add top-level permissions to copilot-setup-steps.yml (#760) - update broken file directives and markdown links after collection directory reorg (#743) - add pre-release companion pipeline with even/odd versioning (#735) - exclude auto-generated CHANGELOG.md from spell check (#756) - add job-level permissions to extension-publish.yml (#729) - resolve handoff dependencies using display names (#727) - add job-level permissions to validate-version in extension-publish-prerelease (#731) - replace parent-directory VS Code settings paths with per-subdirectory enumeration (#732) ### 📚 Documentation - add Design Thinking documentation and DT-to-RPI handoff (#789) - add customization guides for HVE Core artifacts (#772) - reconcile documentation against implementation (#771) - document accepted Token-Permissions risks and add lint:dependency-pinning (#763) - add Design Thinking section to hve-core-all collection description (#762) ### ♻️ Refactoring - move collection scripts from plugins to collections (#728) - remove duplicate git diff logic in frontmatter validator (#473) ### 🔧 Maintenance - pre-release 3.1.44 (#819) - bump basic-ftp from 5.0.5 to 5.2.0 (#780) - standardize script path references in SKILL.md files (#768) - bump the github-actions group across 1 directory with 2 updates (#752) --- *Managed automatically by pre-release workflow.* Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This was referenced Mar 1, 2026
This was referenced Mar 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR introduces gitleaks as a binary-based secret scanning gate across both CI pipelines, complementing GitHub's native secret scanning with a locally verified, SHA-pinned binary that produces SARIF output for the Security tab.
Gitleaks Reusable Workflow
A new gitleaks-scan.yml reusable workflow was created with three configurable inputs:
soft-fail,upload-sarif, andupload-artifact. The workflow downloads gitleaks v8.30.0, verifies the tarball against a pinned SHA256 checksum, and runs a full-repository scan in git mode. SARIF output atlogs/gitleaks-results.sarifintegrates with GitHub's Security tab viagithub/codeql-action/upload-sarif.soft-fail), and unexpected errors.gitleaksignorefile is respected when present for suppressing known findingsPipeline Integration
Both pr-validation.yml and main.yml now call the reusable workflow with
soft-fail: falseandupload-sarif: true. The PR pipeline disables artifact upload to reduce storage noise, while the main pipeline retains artifacts for 90 days. The main pipeline's aggregation gate job depends ongitleaks-scancompleting successfully.Threat Model Documentation
The security threat model was updated to reflect expanded coverage. VM-2 now references both GitHub native scanning and the gitleaks PR gate. The workflow coverage table includes a new
main.ymlrow and lists gitleaks as a security check for both pipelines.Related Issue(s)
Closes #260
Type of Change
Select all that apply:
Code & Documentation:
Infrastructure & Configuration:
AI Artifacts:
prompt-builderagent and addressed all feedback.github/instructions/*.instructions.md).github/prompts/*.prompt.md).github/agents/*.agent.md).github/skills/*/SKILL.md)Other:
.ps1,.sh,.py)Sample Prompts (for AI Artifact Contributions)
User Request:
Execution Flow:
Output Artifacts:
Success Indicators:
For detailed contribution requirements, see:
Testing
Automated Validations
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run validate:skillsnpm run lint:md-linksnpm run lint:psnpm run lint:yamlnpm run lint:version-consistencynpm run plugin:generateDiff-Based Assessment
persist-credentials: falseconfirmed on checkout stepcontents: read,security-events: write)Manual Testing
Manual testing was not performed. Workflow execution validates on PR creation and main-branch push.
Checklist
Required Checks
AI Artifact Contributions
/prompt-analyzeto review contributionprompt-builderreviewRequired Automated Checks
The following validation commands must pass before merging:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run validate:skillsnpm run lint:md-linksnpm run lint:psnpm run lint:yamlnpm run lint:version-consistencynpm run plugin:generateSecurity Considerations
Additional Notes
The gitleaks workflow respects a
.gitleaksignorefile when present, allowing suppression of known findings. No.gitleaksignorecurrently exists in the repository. If pre-existing secrets are detected during the first pipeline run, create a.gitleaksignoreat the repository root with the finding fingerprints to suppress them.