Add reusable ggshield secret-scan workflow + Lefthook hook#9
Merged
Conversation
GitGuardian is currently GitHub-App-only (retroactive dashboard alerts). Add ggshield as a pre-merge gate so leaks are caught before they land, backed by the same GitGuardian dashboard/policy: - ggshield-scan.yml: reusable workflow_call, GitGuardian/ggshield-action over the pushed/PR commit range; requires org secret GITGUARDIAN_API_KEY (callers pass secrets: inherit). - lefthook/base.yml: ggshield pre-commit command alongside gitleaks; self-skips when ggshield isn't installed/authenticated so it never wedges a dev without a token (advisory — gitleaks stays the offline net). - README: document both. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Makes GitGuardian a pre-merge gate across the estate, not just the retroactive GitHub-App dashboard alert.
What
.github/workflows/ggshield-scan.yml— reusableworkflow_callrunningGitGuardian/ggshield-actionover the caller's pushed/PR commit range (fetch-depth: 0). Requires org Actions secretGITGUARDIAN_API_KEY; callers usesecrets: inherit.lefthook/base.yml—ggshield secret scan pre-commitcommand alongside the existinggitleaks. Self-skips when ggshield isn't installed or has no token, so it never wedges a dev without auth (advisory; gitleaks stays the always-offline net, CI is the hard gate).README.md— documents both + theGITGUARDIAN_API_KEYrequirement.Why alongside, not replacing
gitleaks (local) and trufflehog (Monitoring CI) stay; ggshield adds the paid GitGuardian engine whose shared dashboard is where policy + false-positives (e.g. bws UUIDs) are already managed. Belt-and-suspenders.
Prereq before this gate goes green
Org secret
GITGUARDIAN_API_KEY(scopescan; source of truth in bws Infrastructure). Until it exists, callers'ggshieldcheck will fail for missing secret — expected.Validation
lefthook validateonbase.yml✅actionlintonggshield-scan.yml✅Monitoring adopts it as the reference caller in a companion PR.
🤖 Generated with Claude Code