Skip to content

Add gitleaks + internal-specifics secret-scan CI (privacy guardrail) #116

Description

@hartsock

Add a security-audit GitHub Actions workflow to guard against committing secrets
or internal/operational specifics — a privacy guardrail that matters most for
public repos.

What to add (reference implementation: Gilamonster-Foundation/nessie-identity)

  • gitleaks secret scan run via the open-source binary (pin e.g. v8.30.1).
    Do not use the gitleaks-action wrapper — it requires a paid
    GITLEAKS_LICENSE for organization repos; the binary is free for everyone.
  • An internal-specifics linter (scripts/check-internal-specifics.sh) that
    fails on real private IPs (RFC1918 / CGNAT), internal TLDs, overlay-network
    hostnames, directory realms, and personal emails — while allowing RFC 5737 /
    example.* placeholders through.
  • .gitleaks.toml allowlisting the documentation placeholders.
  • .pre-commit-config.yaml mirroring the checks locally before commit.
  • SECURITY.md + docs/PRIVACY.md describing the public/private split and the
    placeholder rules.

Notes

  • Run the secret-scan/privacy gate on GitHub-hosted runners (reliable,
    isolated, free for public repos).
  • Pin actions to a Node 24 major (e.g. actions/checkout@v5).

Tracking issue only — no automated changes have been made.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions