Skip to content

feat(security): Add comprehensive secret detection system#214

Open
pseegaha wants to merge 5 commits intoMSDLLCpapers:mainfrom
pseegaha:CDW-1623
Open

feat(security): Add comprehensive secret detection system#214
pseegaha wants to merge 5 commits intoMSDLLCpapers:mainfrom
pseegaha:CDW-1623

Conversation

@pseegaha
Copy link
Copy Markdown
Collaborator

@pseegaha pseegaha commented Mar 12, 2026

Implement multi-layer secret detection to prevent API keys and sensitive information from being committed to the repository.

Features:

  • Pre-commit hooks with detect-secrets, gitleaks, and detect-private-key
  • GitHub Actions workflow for CI/CD secret scanning with TruffleHog
  • Custom patterns for organization-specific secrets
  • Comprehensive documentation and quick reference guides
  • Automated setup scripts for Windows (PowerShell) and Linux/Mac (Bash)
  • .env.example template for developers

All acceptance criteria met:
✅ Automatically detect keys being committed
✅ Prevent committing of keys to repository
✅ Detect key commitments sooner (seconds vs hours/days)

Files: 9 added, 1 modified

@pseegaha
feat(security): Add comprehensive secret detection system
435d0fe 
Implement multi-layer secret detection to prevent API keys and sensitive
information from being committed to the repository.

Features:
- Pre-commit hooks with detect-secrets, gitleaks, and detect-private-key
- GitHub Actions workflow for CI/CD secret scanning with TruffleHog
- Custom patterns for organization-specific secrets
- Comprehensive documentation and quick reference guides
- Automated setup scripts for Windows (PowerShell) and Linux/Mac (Bash)
- .env.example template for developers

All acceptance criteria met:
✅ Automatically detect keys being committed
✅ Prevent committing of keys to repository
✅ Detect key commitments sooner (seconds vs hours/days)

Files: 9 added, 1 modified
pseegaha and others added 4 commits March 17, 2026 18:23
@pseegaha
fix: Make Gitleaks optional and detect-secrets non-interactive
2ab80b1 
- Add license check to make Gitleaks conditional on GITLEAKS_LICENSE secret
- Skip Gitleaks with message if license not configured
- Replace interactive detect-secrets audit with baseline comparison
- Use detect-secrets scan --baseline to avoid EOFError
- Improve summary job failure condition formatting

Fixes workflow failures in CI/CD environment
@pseegaha
fix: Use diff comparison instead of invalid --baseline flag
93a71d8 
The detect-secrets scan command does not support --baseline flag.
Use diff to compare new scan results with baseline file instead.
This avoids both the EOFError from interactive audit and the
invalid flag error.
@pseegaha
fix: Use jq to count secrets in baseline comparison
f495cfe 
Use jq to parse JSON and count actual secrets instead of diff.
This correctly identifies new secrets by comparing counts,
avoiding issues with metadata/timestamp differences in JSON files.
@sdsmt05
Merge branch 'main' into CDW-1623
5eee174
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dhdanie dhdanie Awaiting requested review from dhdanie dhdanie is a code owner

@knowelledge knowelledge Awaiting requested review from knowelledge knowelledge is a code owner

@michaelTurnbach michaelTurnbach Awaiting requested review from michaelTurnbach michaelTurnbach is a code owner

@sdsmt05 sdsmt05 Awaiting requested review from sdsmt05 sdsmt05 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pseegaha @sdsmt05