Skip to content

Add secret scanning and prevent credential leaks#1177

Open
arska wants to merge 1 commit intomasterfrom
chore/secrets-detection
Open

Add secret scanning and prevent credential leaks#1177
arska wants to merge 1 commit intomasterfrom
chore/secrets-detection

Conversation

@arska
Copy link
Copy Markdown
Member

@arska arska commented Mar 23, 2026

Summary

  • Add TruffleHog secret scanning to CI — scans PRs and pushes to master for verified secrets
  • Add .gitignore entries for kubeconfig, PEM, key files, and .claude directory

Why

A service account token was accidentally committed in #1166 via a kubeconfig file in the working directory. This PR prevents that class of mistake:

  1. Gitignore — prevents *.kubeconfig, *.pem, *.key, and .claude/ from being staged
  2. TruffleHog — catches any secrets that slip through gitignore (verified secrets only, no false positives)

Test plan

  • Verify TruffleHog runs on PRs
  • Verify gitignore patterns match intended files

🤖 Generated with Claude Code

@arska arska requested a review from a team as a code owner March 23, 2026 10:08
@arska arska requested review from Kidswiss and lieneluksika and removed request for a team March 23, 2026 10:08
@arska arska self-assigned this Mar 23, 2026
tobru
tobru requested changes Mar 23, 2026
View reviewed changes
Comment thread .gitignore
Comment thread .github/workflows/secret-scan.yml
@arska arska force-pushed the chore/secrets-detection branch from 9036f4f to 5ff52a9 Compare March 23, 2026 10:44
@arska
Copy link
Copy Markdown
Member Author

arska commented Mar 23, 2026

Addressed both comments:

.gitignore: Removed the broad *.kubeconfig/*.pem/*.key entries and .claude/ catch-all. Now only ignores specific Claude Code local/session files as suggested.

TruffleHog: It's the most widely used open-source secret scanner in the GitHub Actions ecosystem — used by GitLab, Postman, and many CNCF projects. Key reasons:

  • Verifies secrets against live services (only flags actually valid credentials, no false positives with --only-verified)
  • Supports 800+ detector types out of the box (Kubernetes tokens, AWS keys, etc.)
  • First-party GitHub Action maintained by the TruffleHog team
  • Free and open source (AGPL)

Alternatives considered: gitleaks (popular but higher false positive rate without verification), GitHub's built-in secret scanning (only available for GitHub Advanced Security / Enterprise).

Happy to switch to another tool if the team prefers.

tobru
tobru approved these changes Mar 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@tobru tobru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Kidswiss Are you OK with introducing this secret scanner?

@arska arska mentioned this pull request Mar 23, 2026
Merged
2 tasks
@arska arska force-pushed the chore/secrets-detection branch from 5ff52a9 to 4ea1aee Compare March 23, 2026 11:58
@arska arska removed the request for review from lieneluksika March 23, 2026 12:41
@arska arska force-pushed the chore/secrets-detection branch from 4ea1aee to 2213cb0 Compare March 23, 2026 13:41
@arska @claude
Add secret scanning and prevent credential leaks
eef88d0 
- Add TruffleHog secret scanning to CI (PRs and pushes to master)
- Add .gitignore entries for kubeconfig, PEM, key files, and
  .claude directory to prevent accidental commits of credentials

A service account token was accidentally committed in #1166.
This prevents that class of mistake going forward.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Aarno Aukia <aarno.aukia@vshn.ch>
@arska arska force-pushed the chore/secrets-detection branch from 2213cb0 to eef88d0 Compare March 23, 2026 13:57
Kidswiss
Kidswiss reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Kidswiss Kidswiss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also add a pre-commit-hook? If we scan after the push, the damage is already done, and Gtihub will still show you deleted commits.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kidswiss Kidswiss Kidswiss left review comments

@tobru tobru tobru approved these changes

Assignees

@arska arska

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@arska @tobru @Kidswiss