5

workflows-secret-scanning

Jonathan Miller edited this page 2026-06-21 05:40:38 +00:00

Table of Contents

• Secret Scanning (Gitleaks)
• Overview
• Triggers
• What It Detects
• Notifications
• Configuration
• Allowlisting False Positives
• Related Documentation
• Changelog

← Home

Secret Scanning (Gitleaks)

Status: ✅ Active | Version: 01.00.00 | Last Updated: 2026-05-07

Overview

Scans repositories for leaked secrets (API keys, tokens, passwords, private keys) using Gitleaks. Deployed to all governed repositories.

Triggers

Trigger	Scope
PR to main/dev/**	Scans PR commits only (incremental)
Weekly Monday 05:00 UTC	Full repository history scan
Manual dispatch	Full scan

What It Detects

• API keys and tokens (AWS, GCP, Azure, GitHub, MokoGitea, etc.)
• Private keys (RSA, SSH, PGP)
• Database connection strings
• OAuth client secrets
• JWT tokens
• Generic high-entropy strings

Notifications

Findings trigger an urgent ntfy alert to the gitea-security topic with instructions to rotate credentials immediately.

Configuration

The workflow uses Gitleaks' built-in rules. To add custom rules or allowlists, create a .gitleaks.toml in the repo root.

Allowlisting False Positives

# .gitleaks.toml
[allowlist]
  paths = [
    '''vendor/''',
    '''node_modules/'''
  ]
  commits = [
    "abc123..."
  ]

Related Documentation

• Security Audit (Dependencies)
• Branch Protection

Changelog

Version	Date	Changes
01.00.00	2026-05-07	Initial release

---

Repo: mokocli · mokocli wiki

Field	Value
Minimum Version	04.07.00
Platform	all
Applies To	All repositories

Revision	Date	Author	Description
1.0	2026-05-08	Moko Consulting	Initial version

Pages

• AUTO-CREATE-ORG-PROJECTS
• Branching-Strategy
• CLI-AUTOMATION
• Coding-Standards
• DEPLOY-SCRIPTS
• DOLIBARR-MODULE-IDS
• DRY-RUN-PATTERN
• Documentation-Standards
• File-Header-Standards
• JOOMLA-SYNC
• LEGAL-DOC-GENERATOR-WEB-README
• MONITORING-SCRIPTS
• NEW-SCRIPTS
• QUICKSTART-ORG-PROJECTS
• RELEASE-MANAGEMENT
• Version-Standard
• WIKI-STANDARDS
• WORKFLOW-STANDARDS
• api-maintenance-index
• api-plugin-index
• api-tests-index
• api-tests-sample-index
• automation-README
• automation-branch-version-automation
• automation-repo-cleanup
• client-repos
• features
  • AUTO-BUMP
  • UPDATE-SERVER
  • Update-Server-Migration-Protocol
• operations
  • DEPLOY-SCRIPTS
  • DEPLOY_SCRIPTS
• reference
  • BULK-OPERATIONS
  • RUNNERS
  • VALIDATION
• standards-mokostandards-file-spec
• templates-client-waas
• templates-dolibarr
• templates-generic
• templates-mcp
• unnamed
• workflows-README
• workflows-auto-release
• workflows-branch-protection
• workflows-build-release
• workflows-cascade-dev
• workflows-changelog-management
• workflows-demo-deployment
• workflows-dev-branch-tracking
• workflows-dev-deployment
• workflows-index
• workflows-release-system
• workflows-renovate
• workflows-reusable-workflows
• workflows-rs-deployment
• workflows-secret-scanning
• workflows-shared-workflows
• workflows-standards-compliance
• workflows-static-analysis
• workflows-sub-issue-management
• workflows-update-server
• workflows-workflow-architecture
• workflows
  • Composer-Publishing