Skip to content

chore(security): add gitleaks secret detection and .gitignore security baseline#493

Merged
nullvariant merged 4 commits into
mainfrom
chore/issue-351-gitleaks-gitignore-baseline
May 8, 2026
Merged

chore(security): add gitleaks secret detection and .gitignore security baseline#493
nullvariant merged 4 commits into
mainfrom
chore/issue-351-gitleaks-gitignore-baseline

Conversation

@nullvariant

Copy link
Copy Markdown
Owner

Summary

  • Add gitleaks v8.30.1 for multi-layered secret scanning (pre-commit hook + CI job with SHA256 checksum verification)
  • Apply .gitignore security baseline template with !extensions/*/.vscode/ negation for extension dev configs
  • Harden all 8 checkout steps in security.yml with persist-credentials: false
  • Add Gitleaks badge to root README, extension README, and all 26 localized READMEs
  • Document gitleaks in SECURITY.md CI/CD Security section
  • Bump version to 0.19.5

Test plan

  • TypeScript compiles cleanly (npx tsc --noEmit)
  • ESLint passes
  • All tests pass with 100% statement coverage
  • DOCUMENT_HASHES regenerated and verified
  • CI passes on this PR (security.yml gitleaks job runs successfully)
  • Verify .vscode/ tracked files are still accessible after .gitignore rewrite

…y baseline

Introduces gitleaks v8.30.1 for multi-layered secret scanning:
- pre-commit hook via .pre-commit-config.yaml
- CI job in security.yml with SHA256 checksum verification

Applies .gitignore security baseline template with
!extensions/*/.vscode/ negation for extension dev configs.

Also hardens all 8 checkout steps with persist-credentials: false.

Signed-off-by: Null;Variant <null@nullvariant.com>

🖥️ IDE: [VS Code](https://code.visualstudio.com/)
🔌 Extension: [Claude Code](https://claude.ai/download)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Model-Raw: claude-opus-4-6
@qodo-code-review

Copy link
Copy Markdown
ⓘ You've reached your Qodo monthly free-tier limit. Reviews pause until next month — upgrade your plan to continue now, or link your paid account if you already have one.

@nullvariant-blaze

nullvariant-blaze Bot commented May 8, 2026

Copy link
Copy Markdown
Contributor

🐗 Blaze's Release Review 🔥

🔥🔥🔥 VERSION BUMP DETECTED! THIS IS IT! 🔥🔥🔥

PATCH VERSION BUMP in extensions/git-id-switcher/package.json

0.19.40.19.5

✨ Quick patch! Nice and clean.


よっしゃ!デプロイしまくるぞ!

This review was ENTHUSIASTICALLY filed by nullvariant-blaze[bot]

@nullvariant-slow

nullvariant-slow Bot commented May 8, 2026

Copy link
Copy Markdown
Contributor

🦥 Slow's Code Review 😩

...yawn... Do I really have to review this?

⚠️ TOO LONG... I can barely keep my eyes open reading these:

File Lines

| extensions/git-id-switcher/src/ui/documentationInternal.ts | 505 |

Split it up... reading long files is exhausting.


働きたくないでござる

This review was reluctantly filed by nullvariant-slow[bot]

@nullvariant-luna

nullvariant-luna Bot commented May 8, 2026

Copy link
Copy Markdown
Contributor

👧 Luna's Exploration Report 📦

No new dependencies added. Just version bumps! Nothing to explore here... 😴


Botに418返そうよ!

This report was curiously compiled by nullvariant-luna[bot]

@nullvariant-mimi

nullvariant-mimi Bot commented May 8, 2026

Copy link
Copy Markdown
Contributor

🐰 Mimi's Validation Report ✅

All checks are looking good! Great job! 🎉

⏳ Some checks are still running. I will keep watching!


バリデーターを通してくださいね

This report was carefully prepared by nullvariant-mimi[bot]

@github-actions

github-actions Bot commented May 8, 2026

Copy link
Copy Markdown
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@nullvariant-ciel

nullvariant-ciel Bot commented May 8, 2026

Copy link
Copy Markdown
Contributor

🕊️ Ciel's Mediation ☀️

*~~ gliding on a gentle breeze ~~ How serene!*

4 zoo members have reviewed this PR.

Zoo Member Status
🦥 Slow Commented
🐰 Mimi Commented
👧 Luna Commented
🐗 Blaze Commented

☀️ The zoo is in harmony. Everything looks peaceful from up here.


まあまあ、ほどほどに。

This mediation was peacefully delivered by nullvariant-ciel[bot]

@codecov

codecov Bot commented May 8, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

nullvariant-justice[bot]
nullvariant-justice Bot previously approved these changes May 8, 2026

@nullvariant-justice nullvariant-justice Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚖️ Justice grants passage. CI checks passed — this code meets the garden's standards.

…M header constants

Gitleaks correctly detects dummy API keys in test fixtures and PEM
header strings in sshAgent.ts, but these are intentional: test
fixtures use fake secrets for security testing, and sshAgent.ts
uses PEM headers as format detection constants (not actual keys).

Signed-off-by: Null;Variant <null@nullvariant.com>

🖥️ IDE: [VS Code](https://code.visualstudio.com/)
🔌 Extension: [Claude Code](https://claude.ai/download)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Model-Raw: claude-opus-4-6
Git history scanning triggers false positives on test fixture dummy
secrets and PEM header constants across past commits. Working tree
scan with .gitleaks.toml allowlist is sufficient — GitHub Secret
Scanning + Push Protection already covers history.

Signed-off-by: Null;Variant <null@nullvariant.com>

🖥️ IDE: [VS Code](https://code.visualstudio.com/)
🔌 Extension: [Claude Code](https://claude.ai/download)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Model-Raw: claude-opus-4-6
nullvariant-justice[bot]
nullvariant-justice Bot previously approved these changes May 8, 2026

@nullvariant-justice nullvariant-justice Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚖️ Justice grants passage. CI checks passed — this code meets the garden's standards.

Fix TOML syntax error (paths must be string array, not table array).
Add allowlist for compiled output (out/), .vscode-test/, and
node_modules/. Use regex alternation for src/out variants.

Signed-off-by: Null;Variant <null@nullvariant.com>

🖥️ IDE: [VS Code](https://code.visualstudio.com/)
🔌 Extension: [Claude Code](https://claude.ai/download)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Model-Raw: claude-opus-4-6
@sonarqubecloud

sonarqubecloud Bot commented May 8, 2026

Copy link
Copy Markdown

@nullvariant-justice nullvariant-justice Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚖️ Justice grants passage. CI checks passed — this code meets the garden's standards.

@nullvariant nullvariant merged commit 58f2ab5 into main May 8, 2026
43 of 44 checks passed
@nullvariant nullvariant deleted the chore/issue-351-gitleaks-gitignore-baseline branch May 8, 2026 13:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant