ci: switch to gitleaks #46

Merged
mauritz.uphoff merged 1 commit from ci/switch-gitleaks into main 2026-06-29 09:27:13 +00:00
6 changed files with 9 additions and 14 deletions

View file

@ -21,16 +21,6 @@ on:
branches: ["main"]
jobs:
secret-scan:
name: "Secret Scanner (TruffleHog)"
runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'stackit-docker' }}
steps:
- name: Checkout code
uses: actions/checkout@v7
- name: TruffleHog Scan
uses: edplato/trufflehog-actions-scan@master
todo-check:
name: "Check for Open TODOs"
runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'stackit-ubuntu-22' }}

View file

@ -58,6 +58,11 @@ repos:
- id: prettier
types_or: [javascript, yaml, json, markdown]
- repo: https://github.com/gitleaks/gitleaks
rev: v8.24.2
hooks:
- id: gitleaks
- repo: local
hooks:
# Requires `addlicense` to be installed locally (go install github.com/google/addlicense@latest)

View file

@ -59,7 +59,7 @@ To maintain a clean and secure codebase, we enforce a strict CI pipeline on all
```
- **Terraform file naming:** All `.tf` files in examples **must** be prefixed with exactly 3 digits to enforce consistent ordering (e.g., `010-provider.tf`, `020-variables.tf`, `030-resources.tf`, `100-outputs.tf`). Files inside `modules/` directories are exempt from this rule. This check is enforced automatically by pre-commit.
- **Scan for Secrets:** Never commit credentials. We use `trufflehog` in the CI pipeline. Ensure you have no hardcoded tokens or passwords in your code.
- **Scan for Secrets:** Never commit credentials. We use `gitleaks` in the CI pipeline. Ensure you have no hardcoded tokens or passwords in your code.
### Repository structure

View file

@ -30,7 +30,7 @@ To ensure high standards and security, we follow a strict contribution process:
- **Automated Validation:** Every Pull Request must pass the CI pipeline, which includes:
- Linting and formatting checks.
- License header verification (Apache 2.0).
- Secret scanning (Trufflehog).
- Secret scanning (GitLeaks).
- **Best Effort Policy:** While we strive for quality, the content is provided "as-is." Use in production environments requires independent validation by the user.
## 4. Mirroring Process

View file

@ -22,6 +22,6 @@ locals {
output "pg_connection_uri" {
description = "PostgreSQL Flex User Connection String"
value = "postgres://${local.pg_username}:${local.pg_password}@${local.pg_host}:${local.pg_port}/${local.pg_database}?sslmode=require" # trufflehog:ignore
value = "postgres://${local.pg_username}:${local.pg_password}@${local.pg_host}:${local.pg_port}/${local.pg_database}?sslmode=require"
sensitive = true
}

View file

@ -7,7 +7,7 @@ This module contains the core infrastructure configuration. It uses the `pg` bac
1. Create a `backend.conf` file in this directory and define the connection string using the credentials generated by the bootstrap module:
```ini
conn_str = "postgres://tf_state_user:<PASSWORD>@<STACKIT_INSTANCE_HOST>:5432/terraform_state?sslmode=require" # trufflehog:ignore
conn_str = "postgres://tf_state_user:<PASSWORD>@<STACKIT_INSTANCE_HOST>:5432/terraform_state?sslmode=require"
```
2. Initialize Terraform and bind it to the remote PostgreSQL backend