Skip to content

[cicd] Add Secret Scanner#394

Open
sapiderman wants to merge 7 commits into
hyperjumptech:mainfrom
sapiderman:add-static-scanner
Open

[cicd] Add Secret Scanner#394
sapiderman wants to merge 7 commits into
hyperjumptech:mainfrom
sapiderman:add-static-scanner

Conversation

@sapiderman
Copy link
Copy Markdown
Collaborator

@sapiderman sapiderman commented May 7, 2026
edited
Loading

Summary

Prevent accidently pushing secrets to the repository

Checklist (.cursor rules)

  • I ran pnpm code-quality locally and it passed.
  • I ran pnpm cursor:review -- --base origin/main --head HEAD (or equivalent SHAs) and fixed any issues.
  • Reuse before create: I searched for existing components/utilities and reused or extended them instead of duplicating patterns.
  • Route actions / handlers: If I added or changed route.*.config.ts files, I followed the route-action-gen workflow (config + generator + tests).
  • Agent Data API: If I touched agent-data-api routes, the shared contract, or the SDK, I updated schemas, manifest, handlers, consumers, and dev-docs/docs/mediapulse/apps/agent-data-api.mdx together.
  • Docs: I updated dev-docs when behavior or contracts changed.

Notes for reviewers

@sapiderman sapiderman requested a review from kevin-hyperjump May 7, 2026 02:29
@sapiderman
Copy link
Copy Markdown
Collaborator Author

sapiderman commented May 7, 2026

this is failing as expected, as it is run from a fork. So the gitleaks_license is not exposed. it should run ok in main.

kevinhermawan
kevinhermawan reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@kevinhermawan kevinhermawan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding secret scanning. One blocker before approval: currently fails on forked PRs because fork runs don't get and/or write permissions for PR comments, but the workflow enforces failure ( + ). This makes external/fork contributions permanently red even when no secrets are found. Please make fork runs non-blocking (or disable comments/license-dependent behavior on forks) and keep blocking behavior for trusted branches.

@kevinhermawan
Copy link
Copy Markdown
Contributor

kevinhermawan commented May 11, 2026

Clarification: the blocker is that Gitleaks Scan depends on GITLEAKS_LICENSE and PR comment permissions, which are unavailable on forked PRs. Because the workflow later enforces failure when gitleaks fails, fork PRs stay red even if there are no leaks. Please gate license/comment features for forks (or make fork runs non-blocking) while keeping strict enforcement on trusted branches.

@sapiderman sapiderman requested a review from kevinhermawan May 17, 2026 18:59
@sapiderman
Copy link
Copy Markdown
Collaborator Author

sapiderman commented May 17, 2026

Clarification: the blocker is that Gitleaks Scan depends on GITLEAKS_LICENSE and PR comment permissions, which are unavailable on forked PRs. Because the workflow later enforces failure when gitleaks fails, fork PRs stay red even if there are no leaks. Please gate license/comment features for forks (or make fork runs non-blocking) while keeping strict enforcement on trusted branches.

fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kevin-hyperjump kevin-hyperjump Awaiting requested review from kevin-hyperjump

@kevinhermawan kevinhermawan Awaiting requested review from kevinhermawan

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sapiderman @kevinhermawan