-
Notifications
You must be signed in to change notification settings - Fork 0
Add gitleaks secret scan #2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,9 @@ | ||||||||||||
| name: Secret scan | ||||||||||||
| on: | ||||||||||||
| pull_request: | ||||||||||||
| push: | ||||||||||||
| branches: [main, master] | ||||||||||||
|
|
||||||||||||
| jobs: | ||||||||||||
| scan: | ||||||||||||
|
||||||||||||
| scan: | |
| scan: | |
| permissions: | |
| contents: read | |
| pull-requests: read |
Copilot
AI
Apr 23, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reusable workflow is referenced with @main, which can change over time and introduces a supply-chain risk (a compromised or buggy update would affect this repo immediately). Pin the uses: ref to a tagged release or a specific commit SHA and update it intentionally when you want new behavior.
| uses: Talieisin/.github/.github/workflows/secret-scan.yml@main | |
| uses: Talieisin/.github/.github/workflows/secret-scan.yml@0123456789abcdef0123456789abcdef01234567 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The PR description says this runs on push to the default branch, but the workflow is hard-coded to only run on pushes to
mainormaster. If this repo’s default branch is different (or gets renamed), pushes won’t be scanned. Updateon.push.branchesto match the actual default branch for this repo (and avoid listing branches you don’t intend to support).