Public Access
38c2536c7b
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1.9 KiB
1.9 KiB
Secret Scanning (Gitleaks)
Status: ✅ Active | Version: 01.00.00 | Last Updated: 2026-05-07
Overview
Scans repositories for leaked secrets (API keys, tokens, passwords, private keys) using Gitleaks. Deployed to all governed repositories.
Triggers
| Trigger | Scope |
|---|---|
| PR to main/dev/** | Scans PR commits only (incremental) |
| Weekly Monday 05:00 UTC | Full repository history scan |
| Manual dispatch | Full scan |
What It Detects
- API keys and tokens (AWS, GCP, Azure, GitHub, Gitea, etc.)
- Private keys (RSA, SSH, PGP)
- Database connection strings
- OAuth client secrets
- JWT tokens
- Generic high-entropy strings
Notifications
Findings trigger an urgent ntfy alert to the gitea-security topic with instructions to rotate credentials immediately.
Configuration
The workflow uses Gitleaks' built-in rules. To add custom rules or allowlists, create a .gitleaks.toml in the repo root.
Allowlisting False Positives
# .gitleaks.toml
[allowlist]
paths = [
'''vendor/''',
'''node_modules/'''
]
commits = [
"abc123..."
]
Related Documentation
Changelog
| Version | Date | Changes |
|---|---|---|
| 01.00.00 | 2026-05-07 | Initial release |