You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
chore(security): add gitleaks secret detection and .gitignore security baseline (#493)
* chore(security): add gitleaks secret detection and .gitignore security baseline
Introduces gitleaks v8.30.1 for multi-layered secret scanning:
- pre-commit hook via .pre-commit-config.yaml
- CI job in security.yml with SHA256 checksum verification
Applies .gitignore security baseline template with
!extensions/*/.vscode/ negation for extension dev configs.
Also hardens all 8 checkout steps with persist-credentials: false.
Signed-off-by: Null;Variant <null@nullvariant.com>
🖥️ IDE: [VS Code](https://code.visualstudio.com/)
🔌 Extension: [Claude Code](https://claude.ai/download)
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Model-Raw: claude-opus-4-6
* chore(security): add .gitleaks.toml to allowlist test fixtures and PEM header constants
Gitleaks correctly detects dummy API keys in test fixtures and PEM
header strings in sshAgent.ts, but these are intentional: test
fixtures use fake secrets for security testing, and sshAgent.ts
uses PEM headers as format detection constants (not actual keys).
Signed-off-by: Null;Variant <null@nullvariant.com>
🖥️ IDE: [VS Code](https://code.visualstudio.com/)
🔌 Extension: [Claude Code](https://claude.ai/download)
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Model-Raw: claude-opus-4-6
* fix(ci): switch gitleaks to --no-git mode for working tree scan
Git history scanning triggers false positives on test fixture dummy
secrets and PEM header constants across past commits. Working tree
scan with .gitleaks.toml allowlist is sufficient — GitHub Secret
Scanning + Push Protection already covers history.
Signed-off-by: Null;Variant <null@nullvariant.com>
🖥️ IDE: [VS Code](https://code.visualstudio.com/)
🔌 Extension: [Claude Code](https://claude.ai/download)
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Model-Raw: claude-opus-4-6
* fix(ci): correct .gitleaks.toml syntax and allowlist paths
Fix TOML syntax error (paths must be string array, not table array).
Add allowlist for compiled output (out/), .vscode-test/, and
node_modules/. Use regex alternation for src/out variants.
Signed-off-by: Null;Variant <null@nullvariant.com>
🖥️ IDE: [VS Code](https://code.visualstudio.com/)
🔌 Extension: [Claude Code](https://claude.ai/download)
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Model-Raw: claude-opus-4-6
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Copy file name to clipboardExpand all lines: SECURITY.md
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -67,6 +67,7 @@ This repository contains VS Code extensions with the following security measures
67
67
-**Fork Protection**: Sensitive workflows skip on fork repositories
68
68
-**SAST (Snyk Code)**: [Snyk](https://snyk.io/) runs static analysis; test fixtures are excluded via `.snyk` policy
69
69
-**License & Vulnerability Scanning**: [FOSSA](https://app.fossa.com/) runs license compliance, dependency quality, and security analysis on every commit (GitHub App integration)
70
+
-**Secret Detection**: [Gitleaks](https://github.com/gitleaks/gitleaks) scans for hardcoded secrets in both CI (`security.yml`) and pre-commit hooks (`.pre-commit-config.yaml`)
70
71
-**Runtime Security Monitoring**: [StepSecurity Harden-Runner](https://github.com/step-security/harden-runner) monitors all workflow runs for suspicious network egress, file access, and process execution
71
72
-**Branch Protection**: Main branch requires PR approval (1 reviewer minimum). All PRs are automatically approved by nullvariant-justice[bot] after CI passes (solo-developer workflow for [OpenSSF Scorecard](https://securityscorecards.dev/) compliance). Dependency bot PRs receive additional safety review before approval. Enforced by [Allstar](https://github.com/ossf/allstar/)
Copy file name to clipboardExpand all lines: extensions/git-id-switcher/CHANGELOG.md
+12Lines changed: 12 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
8
8
## [Unreleased]
9
9
10
+
## [0.19.5] - 2026-05-09
11
+
12
+
### Added
13
+
14
+
-**Gitleaks secret detection**: Added gitleaks v8.30.1 for multi-layered secret scanning via pre-commit hook and CI job with SHA256 checksum verification
15
+
-**Gitleaks badge**: Added Gitleaks badge to the root README, extension README, and all 26 localized READMEs
16
+
17
+
### Changed
18
+
19
+
-**.gitignore security baseline**: Rewrote .gitignore with comprehensive secret insurance patterns (`**/` prefix, credential files, key files) and project-specific negation for extension `.vscode/` dev configs
20
+
-**Workflow hardening**: Added `persist-credentials: false` to all 8 checkout steps in `security.yml`
0 commit comments