Add Gitleaks secrets scanning starter workflow

Adds a code-scanning workflow template for Gitleaks, an open-source SAST
tool that detects hardcoded secrets (API keys, passwords, tokens) in Git
history. Fills the secrets-detection gap in the code-scanning category.

- Pins gitleaks/gitleaks-action to SHA for v2.3.9 per contributing guidelines
- Fetches full Git history (fetch-depth: 0) so all commits are scanned
- Outputs SARIF and uploads results to the GitHub Security tab
- Documents the optional GITLEAKS_LICENSE for private org repositories
- Uses least-privilege permissions (contents: read, security-events: write)

https://claude.ai/code/session_01WzSXen2DnNGjMfcavyMuVt

Author: claude

code-scanning/gitleaks.yml

@@ -0,0 +1,52 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# Gitleaks is an open-source SAST tool for detecting secrets (API keys,
+# passwords, tokens) committed to a Git repository.
+# See https://github.com/gitleaks/gitleaks
+
+name: Gitleaks
+
+on:
+  push:
+    branches: [ $default-branch, $protected-branches ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ $default-branch ]
+  schedule:
+    - cron: $cron-daily
+
+permissions:
+  contents: read
+
+jobs:
+  gitleaks:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          # Fetch full history so Gitleaks can scan all commits, not just HEAD
+          fetch-depth: 0
+
+      - name: Run Gitleaks
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # GITLEAKS_LICENSE is required for scanning private repositories in GitHub organizations.
+          # Sign up at https://gitleaks.io to obtain a license key and add it as a repository secret.
+          # GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
+        with:
+          args: --exit-code=0 --report-format=sarif --report-path=gitleaks.sarif
+
+      - name: Upload Gitleaks scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: gitleaks.sarif

code-scanning/properties/gitleaks.properties.json

@@ -0,0 +1,7 @@
+{
+    "name": "Gitleaks",
+    "creator": "Gitleaks",
+    "description": "Detect hardcoded secrets like passwords, API keys, and tokens in your Git repository using Gitleaks.",
+    "iconName": "octicon key",
+    "categories": ["Code Scanning", "Security"]
+}