Skip to content

feat: add Gitleaks config and CI workflow#22

Open
stevefulme1 wants to merge 2 commits intoredhat-cop:mainfrom
stevefulme1:feat/gitleaks-configuration
Open

feat: add Gitleaks config and CI workflow#22
stevefulme1 wants to merge 2 commits intoredhat-cop:mainfrom
stevefulme1:feat/gitleaks-configuration

Conversation

@stevefulme1
Copy link
Copy Markdown
Contributor

@stevefulme1 stevefulme1 commented Apr 6, 2026

Summary

  • Adds .gitleaks.toml with default rules extended by custom Ansible-specific credential detection patterns (OpenShift API keys, Automation Hub tokens, container registry passwords)
  • Configures allowlists for placeholder values (changeme), Jinja2 template variables ({{ }}), Ansible Vault references, example domains, and YAML comments
  • Adds path-based allowlists for defaults/main.yml and inventory.yml where variable declarations use block scalar indicators
  • Adds .github/workflows/gitleaks.yml GitHub Actions workflow to run Gitleaks on pushes to main and all PRs
  • Complements the existing Gitleaks pre-commit hook in .pre-commit-config.yaml

Related

  • Resolves: MFG-376

Test plan

  • Verify gitleaks detect --config .gitleaks.toml --no-git reports no false positives on the current codebase
  • Verify the GitHub Actions workflow triggers on PR creation
  • Test that a commit containing a real secret (e.g., a test API key) is detected and flagged
  • Confirm pre-commit hook still works with the new config file

🤖 Generated with Claude Code

@stevefulme1 @claude
feat: add Gitleaks configuration and CI workflow
a0921de 
Adds .gitleaks.toml with custom rules for Ansible-specific credential
patterns (OpenShift API keys, Automation Hub tokens, container registry
passwords) and allowlists for placeholder values and Jinja2 templates.
Adds a GitHub Actions workflow to run Gitleaks on pushes and PRs.

Resolves: MFG-376

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@stevefulme1 stevefulme1 requested a review from sabre1041 as a code owner April 6, 2026 17:39
@sabre1041
Copy link
Copy Markdown
Contributor

sabre1041 commented Apr 13, 2026

@luizfao @jeffcpullen Would you be able to review the content of this PR?

@jeffcpullen
Copy link
Copy Markdown

jeffcpullen commented Apr 14, 2026
edited
Loading

Not an expert it GitHub actions or Gitleaks, but it looks like what I would expect to see. I appreciate the carve out on specific files with specific criteria "changeme" password placeholders. Going to let this run to review the output.

@jeffcpullen
Copy link
Copy Markdown

jeffcpullen commented Apr 14, 2026

Ok, the run failed with 11 false positives.

10 of the 11 were looking at README.md files that do not contain secrets, but instead are documenting variables. For example, this line triggered Gitleaks.

<b>vm_ssh_openshift_api_key:</b> OpenShift API Key

The last one triggered the 'create_mf_aap_token_openshift_api_key' variable becuase it uses a multi-line YAML format.

    - name: Set fact with Service Account API key
      ansible.builtin.set_fact:
        create_mf_aap_token_openshift_api_key: >-
          "{{ create_mf_aap_token_migration_factory_aap_sa_token.resources[0].data.token | b64decode }}"
      no_log: "{{ create_mf_aap_token_secure_logging }}"

@stevefulme1 @claude
fix: resolve 11 gitleaks false positives on README and YAML files
deaa285 
Add allowlists for docsible-generated README.md variable documentation
(HTML bold tags), multi-line YAML block scalars (>- / |) where values
are Jinja2 templates on the following line, and task files that reference
credential variable names without containing actual secrets.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@stevefulme1
Copy link
Copy Markdown
Contributor Author

stevefulme1 commented Apr 14, 2026

@jeffcpullen Thanks for running it and flagging those! I've pushed a fix (deaa285) that resolves all 11 false positives:

Changes to .gitleaks.toml:

  1. Added README.md to the global path allowlist — these files contain docsible-generated variable documentation (e.g., <b>vm_ssh_openshift_api_key:</b> OpenShift API Key), not actual secrets
  2. Added <b>.*</b> regex allowlist — catches the HTML bold tag pattern used to document variable names in READMEs
  3. Added [>|][+-]?\s*$ regex allowlist — catches multi-line YAML block scalars (>-, |, etc.) where the value is a Jinja2 template on the following line (e.g., create_mf_aap_token_openshift_api_key: >-)
  4. Extended per-rule path allowlists — added README.md and tasks/main.yml to the openshift-api-key and container-registry-password rules

Verified locally: gitleaks detect --config .gitleaks.toml -v now returns 0 leaks across all 43 commits.

sabre1041
sabre1041 approved these changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sabre1041 sabre1041 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sabre1041 sabre1041 sabre1041 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@stevefulme1 @sabre1041 @jeffcpullen