From 4ce472894bfbe77a1f28b2faf5f2ecfe26b7f1f9 Mon Sep 17 00:00:00 2001 From: Maksim Fedotov Date: Mon, 19 Jan 2026 10:16:36 +0300 Subject: [PATCH 1/2] chore(ci): backport gitleaks to cse Signed-off-by: Maksim Fedotov chore(ci): fix gitleaks scan (#1897) Signed-off-by: Maksim Fedotov --- .github/workflows/gitleaks-scan-on-pr.yml | 21 ++++++++ .../workflows/gitleaks-scan-on-schedule.yml | 23 +++++++++ .gitleaks.toml | 49 +++++++++++++++++++ 3 files changed, 93 insertions(+) create mode 100644 .github/workflows/gitleaks-scan-on-pr.yml create mode 100644 .github/workflows/gitleaks-scan-on-schedule.yml create mode 100644 .gitleaks.toml diff --git a/.github/workflows/gitleaks-scan-on-pr.yml b/.github/workflows/gitleaks-scan-on-pr.yml new file mode 100644 index 0000000000..92f5ae2fc7 --- /dev/null +++ b/.github/workflows/gitleaks-scan-on-pr.yml @@ -0,0 +1,21 @@ +name: Gitleaks Pull Request Scan + +on: + pull_request: + types: [opened, synchronize, reopened] +permissions: + contents: read + pull-requests: read + +jobs: + gitleaks_scan: + name: Gitleaks scan + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + steps: + - name: Run Gitleaks diff scan + uses: deckhouse/modules-actions/gitleaks@v6 + with: + scan_mode: "diff" diff --git a/.github/workflows/gitleaks-scan-on-schedule.yml b/.github/workflows/gitleaks-scan-on-schedule.yml new file mode 100644 index 0000000000..4406dc5dc4 --- /dev/null +++ b/.github/workflows/gitleaks-scan-on-schedule.yml @@ -0,0 +1,23 @@ +name: Gitleaks Daily Scan + +on: + schedule: + - cron: "0 2 * * *" + workflow_dispatch: + +permissions: + contents: read + pull-requests: read + +jobs: + gitleaks_scan: + name: Gitleaks scan + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + steps: + - name: Run Gitleaks diff scan + uses: deckhouse/modules-actions/gitleaks@v6 + with: + scan_mode: "full" diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000000..0fad91b9f5 --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,49 @@ +[extend] +useDefault = true + +[allowlist] +description = "Allowlist for virtualization repo to ignore specific test folders" +commits = [ + # tests/e2e/object/const.go - test SSH keys + "030b01dce1c99360cd39714d476ad90d872f79ac", + "a67d0501e0e1d7a5a348fff538a0985b39da0f0b", + # images/hooks/cmd/generate-secret-for-dvcr/main_test.go - test passwords + "c0c39f20c5a2a25d33e61f58d9fe3d072b1512ba", + # tests/e2e/testdata/connectivity/sshkeys/id_ed - test SSH keys + "60095c796d50f7e572f89f57b9facca734601f65", + # images/kube-api-proxy/local/proxy.yaml - local dev secrets + "9aaa05d34e7050e8d261568c6ee162a33a04f59d", + "32ba6a902bbb2de95cb49fc67a81119f1db1fdaa", + "8c73631f35a2ae0f5da0b7d34e4f94377abf9d9c", + # tests/performance/ssh/id_ed - test SSH keys + "5e57d5b3c484a9ae780355f6c69a1c8c53c07db6", + # tests/e2e/testdata/vm/sshkeys/id_ed - test SSH keys + "6c9bbca501d29539019358b9f4c1740011b49fbe", + "c70df49a09c0d3f9eaeb2bb3850e1506a48a6591", + # tests/e2e/testdata/vm/provisioning - test data + "7779a9548280e3d28cd44555efe6d0e18a106b09", + # images/virtualization-artifact/config/vm_sysprep.yaml - example config + "552a06eb1d2f50ca2d765d42c5ab4d701c92a555", + # legacy entry + "d964aca8c51cc3f2dcd0d72b6016fa6ad94c1ce4", +] +paths = [ + # test files and data + '''^images/dvcr-artifact/pkg/uploader/testdata/auth.json$''', + '''^images/hooks/pkg/hooks/generate-secret-for-dvcr/hook_test.go$''', + '''^images/hooks/cmd/generate-secret-for-dvcr/main_test\.go$''', + '''^test/e2e/legacy/testdata/sshkeys/id_ed$''', + '''^test/e2e/internal/object/const.go$''', + '''^tests/e2e/object/const\.go$''', + '''^tests/e2e/testdata/connectivity/sshkeys/id_ed$''', + '''^tests/e2e/testdata/vm/sshkeys/id_ed$''', + '''^tests/e2e/testdata/vm/provisioning/.*$''', + '''^test/performance/ssh/id_ed$''', + '''^tests/performance/ssh/id_ed$''', + # development files that are not used in production images + '''^images/kube-api-rewriter/local/proxy.yaml$''', + '''^images/kube-api-proxy/local/proxy\.yaml$''', + '''^images/virtualization-artifact/config/vm_sysprep\.yaml$''', + # false positives in README files + '''^images/packages/krb5/README.md$''', +] From 338693fde70638a1a9d2bfc254b28d76b07e4cad Mon Sep 17 00:00:00 2001 From: Maksim Fedotov Date: Tue, 20 Jan 2026 15:34:56 +0300 Subject: [PATCH 2/2] add license Signed-off-by: Maksim Fedotov --- .github/workflows/gitleaks-scan-on-pr.yml | 14 ++++++++++++++ .github/workflows/gitleaks-scan-on-schedule.yml | 14 ++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/.github/workflows/gitleaks-scan-on-pr.yml b/.github/workflows/gitleaks-scan-on-pr.yml index 92f5ae2fc7..8f3543436c 100644 --- a/.github/workflows/gitleaks-scan-on-pr.yml +++ b/.github/workflows/gitleaks-scan-on-pr.yml @@ -1,3 +1,17 @@ +# Copyright 2026 Flant JSC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + name: Gitleaks Pull Request Scan on: diff --git a/.github/workflows/gitleaks-scan-on-schedule.yml b/.github/workflows/gitleaks-scan-on-schedule.yml index 4406dc5dc4..9d70fc7946 100644 --- a/.github/workflows/gitleaks-scan-on-schedule.yml +++ b/.github/workflows/gitleaks-scan-on-schedule.yml @@ -1,3 +1,17 @@ +# Copyright 2026 Flant JSC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + name: Gitleaks Daily Scan on: