Test Gitleaks workflow

Author: BreakableHoodie

.github/docs/gitleaks-response.md

@@ -0,0 +1,34 @@
+# Gitleaks Response Guide
+
+When this workflow comments on your pull request, it means Gitleaks spotted something that looks like a credential. The build stays green, but secrets must be handled quickly and carefully.
+
+## Quick Checklist
+
+1. Stop merging the pull request until the investigation is complete.
+2. Open the PR comment or downloaded `gitleaks-report.json` artifact to review the redacted findings.
+3. Confirm whether each finding is a real secret or a false positive.
+4. Follow the appropriate section below and leave a short update on the PR comment.
+
+## If the Secret Is Real
+
+- **Rotate / revoke the credential immediately.** Use the relevant provider console or contact the owner of the secret.
+- **Purge the secret from Git history.** Remove it locally (including from previous commits) and force-push a clean branch.
+  - Prefer [`git filter-repo`](https://github.com/newren/git-filter-repo) (or `git filter-branch` as a fallback) to rewrite history.
+  - After rewriting history, regenerate the artifact (`git commit --amend` or new commit) and push with `--force-with-lease`.
+- **Document replacements.** Update `.env.example` or secrets management notes so others know the new credential.
+- **Confirm the fix.** Run `gitleaks detect --redact` locally to be sure the repository is clean before merging.
+- **Update the PR comment.** Reply to the workflow comment summarizing what was rotated and how the history was cleaned (no need to paste secrets).
+
+## If It Is a False Positive
+
+- **Verify carefully.** Make sure the redacted value truly is benign (example: test data, dummy keys, or hashed values).
+- **Mask the pattern going forward.** Add a rule or `allowlist` entry in your repository-level `.gitleaks.toml` or configuration file, and commit that change with a note explaining the rationale.
+- **Re-run locally.** Validate that `gitleaks detect --redact` reports no findings after the rule is added.
+- **Reply on the PR.** Note that the finding is a false positive and link to the configuration change.
+
+## Need Help?
+
+- Mention `@CivicTechWR/organizers` in the pull request comment if you need support rotating credentials or cleaning history.
+- For high-impact secrets (production credentials, user data access), escalate immediately in the organizers' channel or via the documented security contact.
+
+Keeping secrets out of Git protects our community projects. Thank you for responding quickly when Gitleaks speaks up!

.github/workflows/gitleaks.yml

@@ -0,0 +1,132 @@
+name: Gitleaks Scan
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  actions: write
+  contents: read
+  pull-requests: write
+
+jobs:
+  scan:
+    name: Scan for Leaked Secrets
+    runs-on: ubuntu-latest
+    env:
+      RESPONSE_GUIDE_URL: https://github.com/CivicTechWR/.github/blob/main/docs/gitleaks-response.md
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run Gitleaks (redacted)
+        id: gitleaks
+        continue-on-error: true
+        uses: gitleaks/gitleaks-action@v2
+        with:
+          args: >-
+            detect --source . --no-banner --redact --report-format json --report-path gitleaks-report.json
+        env:
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
+
+      - name: Summarize findings
+        id: summarize
+        run: |
+          if [ ! -f gitleaks-report.json ]; then
+            echo "[]" > gitleaks-report.json
+          fi
+
+          count=$(jq 'length' gitleaks-report.json 2>/dev/null || echo 0)
+
+          if [ "$count" -gt 0 ]; then
+            echo "found=true" >> "$GITHUB_OUTPUT"
+            echo "count=$count" >> "$GITHUB_OUTPUT"
+            echo "::warning::Gitleaks detected ${count} potential secret(s)."
+          else
+            echo "found=false" >> "$GITHUB_OUTPUT"
+            echo "count=0" >> "$GITHUB_OUTPUT"
+            echo "::notice::Gitleaks found no potential secrets."
+          fi
+
+      - name: Note scan issues
+        if: ${{ steps.gitleaks.outcome == 'failure' && steps.summarize.outputs.found == 'false' }}
+        run: |
+          echo "::warning::Gitleaks scan ended with an error before producing findings. Review the action logs."
+
+      - name: Add pull request comment
+        if: ${{ steps.summarize.outputs.found == 'true' && github.event_name == 'pull_request' }}
+        uses: actions/github-script@v7
+        env:
+          LEAK_COUNT: ${{ steps.summarize.outputs.count }}
+        with:
+          script: |
+            const fs = require('fs');
+            const path = 'gitleaks-report.json';
+            const responseGuide = process.env.RESPONSE_GUIDE_URL;
+            const findings = JSON.parse(fs.readFileSync(path, 'utf8'));
+
+            if (!Array.isArray(findings) || findings.length === 0) {
+              return;
+            }
+
+            const lines = findings.slice(0, 10).map((finding) => {
+              const file = finding.file ? `\`${finding.file}\`` : 'unknown file';
+              const line = finding.startLine ? ` (line ${finding.startLine})` : '';
+              const rule = finding.ruleId || finding.rule || 'potential secret';
+              return `- ${file}${line} — ${rule}`;
+            }).join('\n');
+
+            const remainder = findings.length > 10
+              ? `\n\n…and ${findings.length - 10} more finding${findings.length - 10 === 1 ? '' : 's'} in the attached report.`
+              : '';
+
+            const body = [
+              `@CivicTechWR/organizers Gitleaks flagged **${process.env.LEAK_COUNT}** potential secret${findings.length === 1 ? '' : 's'} in this pull request.`,
+              '',
+              `Please review the [Gitleaks response guide](${responseGuide}) for next steps.`,
+              '',
+              lines,
+              remainder,
+              '',
+              '_Secret values are redacted by the scanner. Follow the guide before merging._'
+            ].filter(Boolean).join('\n');
+
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body,
+            });
+
+      - name: Upload redacted report
+        if: ${{ steps.summarize.outputs.found == 'true' }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: gitleaks-report
+          path: gitleaks-report.json
+          retention-days: 7
+
+      - name: Record scan summary
+        if: ${{ always() }}
+        env:
+          LEAK_COUNT: ${{ steps.summarize.outputs.count }}
+          HAS_FINDINGS: ${{ steps.summarize.outputs.found }}
+        run: |
+          if [ "$HAS_FINDINGS" = "true" ]; then
+            {
+              echo "## Gitleaks Findings"
+              echo ""
+              echo "Potential secrets detected: $LEAK_COUNT"
+              echo "Report: gitleaks-report.json (uploaded as artifact when available)"
+              echo "Guide: $RESPONSE_GUIDE_URL"
+            } >> "$GITHUB_STEP_SUMMARY"
+          else
+            {
+              echo "## Gitleaks Findings"
+              echo ""
+              echo "No potential secrets detected."
+            } >> "$GITHUB_STEP_SUMMARY"
+          fi

PULL_REQUEST_TEMPLATE.md

@@ -60,6 +60,7 @@
 - [ ] Privacy and data protection standards are maintained
 - [ ] Input validation and sanitization implemented
 - [ ] Security best practices followed
+- [ ] Responded to any Gitleaks comment and followed the [Gitleaks Response Guide](https://github.com/CivicTechWR/.github/blob/main/docs/gitleaks-response.md)
 - [ ] No new security vulnerabilities introduced
 
 ### Inclusivity & Accessibility

SECURITY.md

@@ -51,6 +51,7 @@ If you're using this template for your CTWR project and discover a security issu
 - **Review the [Security Guide](docs/SECURITY_GUIDE.md)** before starting development
 - **Use secure coding practices** throughout development
 - **Enable automated security scanning** in your repository
+- **Follow the [Gitleaks Response Guide](.github/docs/gitleaks-response.md)** whenever the secret scanning workflow reports a finding
 - **Conduct security reviews** before major releases
 - **Train team members** on civic tech security considerations
 
@@ -98,22 +99,16 @@ When working with government partners:
 - **Privacy Commissioner of Canada** - Privacy law guidance
 - **PIPEDA** - Personal Information Protection and Electronic Documents Act
 
-## Emergency Security Contact
+## Security Contacts
 
-### Critical Security Issues
+### How to Reach Us
 
-For critical security vulnerabilities that pose immediate risk:
+- **Primary channels:** email `civictechwr@gmail.com`, post in the private organizers channel, or send a direct message in the CTWR Slack workspace
+- **GitHub escalation:** mention `@CivicTechWR/organizers` on the relevant issue or pull request to notify the organizers team
 
-**Contact:** [Emergency contact information]
-**Available:** 24/7 for critical issues
-**Response:** Immediate acknowledgment, resolution within 24 hours
+### Response Expectations
 
-### Non-Critical Security Issues
-
-For general security concerns or questions:
-
-**Contact:** [Regular contact information]
-**Response Time:** Within 48 hours during business days
+The CivicTechWR security group is volunteer-run and does not maintain a formal SLA. We address reports as quickly as the team is available and will coordinate next steps once someone has acknowledged the issue. If a report seems urgent, use every channel above and add “URGENT” in the subject or message so we can prioritize it when a volunteer is online.
 
 ## Security Acknowledgments