Skip to content

feat: add Gitleaks config and CI workflow#22

Open
stevefulme1 wants to merge 1 commit intoredhat-cop:mainfrom
stevefulme1:feat/gitleaks-configuration
Open

feat: add Gitleaks config and CI workflow#22
stevefulme1 wants to merge 1 commit intoredhat-cop:mainfrom
stevefulme1:feat/gitleaks-configuration

Conversation

@stevefulme1
Copy link
Copy Markdown

@stevefulme1 stevefulme1 commented Apr 6, 2026

Summary

  • Adds .gitleaks.toml with default rules extended by custom Ansible-specific credential detection patterns (OpenShift API keys, Automation Hub tokens, container registry passwords)
  • Configures allowlists for placeholder values (changeme), Jinja2 template variables ({{ }}), Ansible Vault references, example domains, and YAML comments
  • Adds path-based allowlists for defaults/main.yml and inventory.yml where variable declarations use block scalar indicators
  • Adds .github/workflows/gitleaks.yml GitHub Actions workflow to run Gitleaks on pushes to main and all PRs
  • Complements the existing Gitleaks pre-commit hook in .pre-commit-config.yaml

Related

  • Resolves: MFG-376

Test plan

  • Verify gitleaks detect --config .gitleaks.toml --no-git reports no false positives on the current codebase
  • Verify the GitHub Actions workflow triggers on PR creation
  • Test that a commit containing a real secret (e.g., a test API key) is detected and flagged
  • Confirm pre-commit hook still works with the new config file

🤖 Generated with Claude Code

@stevefulme1 @claude
feat: add Gitleaks configuration and CI workflow
a0921de 
Adds .gitleaks.toml with custom rules for Ansible-specific credential
patterns (OpenShift API keys, Automation Hub tokens, container registry
passwords) and allowlists for placeholder values and Jinja2 templates.
Adds a GitHub Actions workflow to run Gitleaks on pushes and PRs.

Resolves: MFG-376

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@stevefulme1 stevefulme1 requested a review from sabre1041 as a code owner April 6, 2026 17:39
@sabre1041
Copy link
Copy Markdown
Contributor

sabre1041 commented Apr 13, 2026

@luizfao @jeffcpullen Would you be able to review the content of this PR?

@jeffcpullen
Copy link
Copy Markdown

jeffcpullen commented Apr 14, 2026
edited
Loading

Not an expert it GitHub actions or Gitleaks, but it looks like what I would expect to see. I appreciate the carve out on specific files with specific criteria "changeme" password placeholders. Going to let this run to review the output.

@jeffcpullen
Copy link
Copy Markdown

jeffcpullen commented Apr 14, 2026

Ok, the run failed with 11 false positives.

10 of the 11 were looking at README.md files that do not contain secrets, but instead are documenting variables. For example, this line triggered Gitleaks.

<b>vm_ssh_openshift_api_key:</b> OpenShift API Key

The last one triggered the 'create_mf_aap_token_openshift_api_key' variable becuase it uses a multi-line YAML format.

    - name: Set fact with Service Account API key
      ansible.builtin.set_fact:
        create_mf_aap_token_openshift_api_key: >-
          "{{ create_mf_aap_token_migration_factory_aap_sa_token.resources[0].data.token | b64decode }}"
      no_log: "{{ create_mf_aap_token_secure_logging }}"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sabre1041 sabre1041 Awaiting requested review from sabre1041 sabre1041 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@stevefulme1 @sabre1041 @jeffcpullen