Public Access
3
workflows-secret-scanning.-
Jonathan Miller edited this page 2026-06-06 22:59:24 +00:00
← Home
Secret Scanning (Gitleaks)
Status: ✅ Active | Version: 01.00.00 | Last Updated: 2026-05-07
Overview
Scans repositories for leaked secrets (API keys, tokens, passwords, private keys) using Gitleaks. Deployed to all governed repositories.
Triggers
| Trigger | Scope |
|---|---|
| PR to main/dev/** | Scans PR commits only (incremental) |
| Weekly Monday 05:00 UTC | Full repository history scan |
| Manual dispatch | Full scan |
What It Detects
- API keys and tokens (AWS, GCP, Azure, GitHub, MokoGitea, etc.)
- Private keys (RSA, SSH, PGP)
- Database connection strings
- OAuth client secrets
- JWT tokens
- Generic high-entropy strings
Notifications
Findings trigger an urgent ntfy alert to the gitea-security topic with instructions to rotate credentials immediately.
Configuration
The workflow uses Gitleaks' built-in rules. To add custom rules or allowlists, create a .gitleaks.toml in the repo root.
Allowlisting False Positives
# .gitleaks.toml
[allowlist]
paths = [
'''vendor/''',
'''node_modules/'''
]
commits = [
"abc123..."
]
Related Documentation
Changelog
| Version | Date | Changes |
|---|---|---|
| 01.00.00 | 2026-05-07 | Initial release |
Repo: mokoplatform · mokoplatform wiki
| Field | Value |
|---|---|
| Minimum Version | 04.07.00 |
| Platform | all |
| Applies To | All repositories |
| Revision | Date | Author | Description |
|---|---|---|---|
| 1.0 | 2026-05-08 | Moko Consulting | Initial version |