Skip to content

Commit c228181

Browse files
turbomamclaude
andauthored
Add gitleaks secret scanning (CI) (#527)
* Add gitleaks secret scanning (CI) GitHub native secret scanning and gitleaks' default rules miss NCBO BioPortal API keys because they are bare UUIDs with no provider prefix, so flagging them generically would be pure noise. Add gitleaks in CI with the community default ruleset plus one BioPortal-specific rule keyed on the apikey context. The scan runs on new commits per PR/push (not full history, which is dominated by false positives in ontology data). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * Fix checkout pin to commit SHA + persist-credentials: false (zizmor) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * gitleaks: handle whitespace around token= and case-insensitive domain Addresses Copilot review on #527: - rule 1: allow optional whitespace around 'token =' so 'apikey token = <uuid>' is caught (the no-space 'apikey token=<uuid>' form already matched). - rule 2: add '(?i)' so case variants of the bioontology.org domain are caught. Validated with gitleaks 8.30.1: all documented BioPortal key forms flagged, contextless bare UUID not flagged. Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
1 parent 8275b90 commit c228181

2 files changed

Lines changed: 81 additions & 0 deletions

File tree

.github/workflows/secret-scan.yml

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
name: secret-scan
2+
3+
# Scans NEW commits on every PR and push for committed credentials, using
4+
# gitleaks with the repo's .gitleaks.toml (default rules + a BioPortal/NCBO
5+
# API-key rule that GitHub's native secret scanning misses because the key is
6+
# a bare UUID). This gates new leaks; secrets already in history are handled by
7+
# rotation, not by failing CI forever, so the scan is limited to the new range.
8+
9+
on:
10+
pull_request:
11+
push:
12+
branches: [main]
13+
14+
permissions:
15+
contents: read
16+
17+
jobs:
18+
gitleaks:
19+
runs-on: ubuntu-latest
20+
steps:
21+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
22+
with:
23+
fetch-depth: 0
24+
persist-credentials: false
25+
26+
- name: Install gitleaks
27+
env:
28+
GITLEAKS_VERSION: 8.30.1
29+
run: |
30+
set -euo pipefail
31+
curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
32+
| tar -xz -C /usr/local/bin gitleaks
33+
gitleaks version
34+
35+
- name: Scan new commits
36+
env:
37+
EVENT: ${{ github.event_name }}
38+
PR_BASE: ${{ github.event.pull_request.base.sha }}
39+
PR_HEAD: ${{ github.event.pull_request.head.sha }}
40+
PUSH_BEFORE: ${{ github.event.before }}
41+
PUSH_HEAD: ${{ github.sha }}
42+
run: |
43+
set -euo pipefail
44+
if [ "$EVENT" = "pull_request" ]; then
45+
RANGE="$PR_BASE..$PR_HEAD"
46+
elif [ -n "$PUSH_BEFORE" ] && [ "$PUSH_BEFORE" != "0000000000000000000000000000000000000000" ]; then
47+
RANGE="$PUSH_BEFORE..$PUSH_HEAD"
48+
else
49+
RANGE=""
50+
fi
51+
if [ -n "$RANGE" ]; then
52+
echo "Scanning commit range: $RANGE"
53+
gitleaks detect --source . --config .gitleaks.toml --redact --no-banner --log-opts="$RANGE"
54+
else
55+
echo "No prior ref; scanning full tree"
56+
gitleaks detect --source . --config .gitleaks.toml --redact --no-banner
57+
fi

.gitleaks.toml

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
# Gitleaks configuration for metpo.
2+
#
3+
# Extends the built-in ruleset and adds rules for credentials that gitleaks'
4+
# default rules miss because they are bare UUIDs with no provider prefix. The
5+
# motivating case: NCBO BioPortal / BioOntology API keys are plain UUIDs
6+
# (e.g. in a `?apikey=<uuid>` URL or a `BIOPORTAL_API_KEY=<uuid>` assignment).
7+
# GitHub's native secret scanning and most default rules skip bare UUIDs to
8+
# avoid false positives, so the only reliable signal is the apikey CONTEXT.
9+
title = "metpo gitleaks config"
10+
11+
[extend]
12+
useDefault = true
13+
14+
[[rules]]
15+
id = "bioportal-ncbo-api-key"
16+
description = "BioPortal / NCBO BioOntology API key (UUID in an apikey context)"
17+
regex = '''(?i)(?:bioportal[_-]?(?:api[_-]?key|token)|api[_-]?key|apikey)["'\s:=>]{0,4}(?:token\s*=\s*)?[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}'''
18+
keywords = ["apikey", "api_key", "bioportal", "bioontology"]
19+
20+
[[rules]]
21+
id = "bioportal-ncbo-apikey-url"
22+
description = "BioPortal / NCBO API key embedded in a bioontology.org URL"
23+
regex = '''(?i)bioontology\.org[^\s"'<>]*apikey=[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}'''
24+
keywords = ["bioontology"]

0 commit comments

Comments
 (0)