ci: add gitleaks secrets scanning on PRs [SVLS-8660]

litianningdatadog · claude · litianningdatadog · commit cb600c4366e7 · 2026-03-27T14:27:58.000-04:00
- Add secrets-scan workflow triggered on PR and push to main
- Pin gitleaks-action to SHA (v2.3.9)
- Add .gitleaks.toml with documented allowlist structure for
  paths, regexes, and commits with maintenance guidance

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/secrets-scan.yml b/.github/workflows/secrets-scan.yml
@@ -0,0 +1,21 @@
+name: Secrets Scan
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  gitleaks:
+    name: Secrets Scan
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -0,0 +1,42 @@
+title = "datadog-lambda-extension gitleaks config"
+
+# This file configures gitleaks to suppress known false positives.
+# Only add entries here after confirming a finding is NOT a real secret.
+# If a real secret is found: rotate it immediately, then add the commit to [allowlist.commits].
+#
+# Maintenance workflow:
+#   1. gitleaks flags something on a PR
+#   2. Review the finding — is it a real secret or a false positive?
+#   3. Real secret    → rotate immediately, fix the code, optionally add the commit hash below
+#   4. False positive → add the appropriate entry below with a comment explaining why
+
+[allowlist]
+description = "Known false positives"
+
+# paths: skip entire directories or files from scanning.
+# Use when a directory contains third-party code or test fixtures with fake data.
+# Examples:
+#   "integration-tests/node_modules"  — npm dependencies, not our code
+#   "bottlecap/tests/fixtures"        — test payloads with placeholder values
+#   "docs/examples"                   — documentation examples with fake keys
+paths = [
+  # npm dependencies bundled under integration-tests — not our code, would be noisy
+  "integration-tests/node_modules",
+]
+
+# regexes: suppress findings whose matched secret value matches one of these patterns.
+# Use for placeholder/example values that appear in source or docs but are not real secrets.
+# Examples:
+#   '''your-api-key'''          — generic placeholder in docs or scripts
+#   '''my_test_key'''           — unit test placeholder (bottlecap/tests/)
+#   '''AKIAIOSFODNN7EXAMPLE'''  — AWS example key from official AWS documentation
+#   '''DD_API_KEY_EXAMPLE'''    — Datadog placeholder used in README examples
+regexes = []
+
+# commits: suppress all findings from a specific historical commit.
+# Use when a commit contained a now-rotated credential that cannot be rewritten
+# (e.g., it is already on the default branch or in a public tag).
+# Always document why the commit is suppressed and confirm the credential was rotated.
+# Examples:
+#   "abc123def456"  — rotated DD_API_KEY accidentally committed on 2024-01-15, key invalidated
+commits = []
