Skip to content

Add reusable ggshield secret-scan workflow + Lefthook hook#9

Merged
cshuttle merged 1 commit into
mainfrom
feat/ggshield-secret-scan
Jul 5, 2026
Merged

Add reusable ggshield secret-scan workflow + Lefthook hook#9
cshuttle merged 1 commit into
mainfrom
feat/ggshield-secret-scan

Conversation

@cshuttle

@cshuttle cshuttle commented Jul 5, 2026

Copy link
Copy Markdown
Owner

Makes GitGuardian a pre-merge gate across the estate, not just the retroactive GitHub-App dashboard alert.

What

  • .github/workflows/ggshield-scan.yml — reusable workflow_call running GitGuardian/ggshield-action over the caller's pushed/PR commit range (fetch-depth: 0). Requires org Actions secret GITGUARDIAN_API_KEY; callers use secrets: inherit.
  • lefthook/base.ymlggshield secret scan pre-commit command alongside the existing gitleaks. Self-skips when ggshield isn't installed or has no token, so it never wedges a dev without auth (advisory; gitleaks stays the always-offline net, CI is the hard gate).
  • README.md — documents both + the GITGUARDIAN_API_KEY requirement.

Why alongside, not replacing

gitleaks (local) and trufflehog (Monitoring CI) stay; ggshield adds the paid GitGuardian engine whose shared dashboard is where policy + false-positives (e.g. bws UUIDs) are already managed. Belt-and-suspenders.

Prereq before this gate goes green

Org secret GITGUARDIAN_API_KEY (scope scan; source of truth in bws Infrastructure). Until it exists, callers' ggshield check will fail for missing secret — expected.

Validation

  • lefthook validate on base.yml
  • actionlint on ggshield-scan.yml
  • YAML parse of both ✅
  • selftest (actionlint + lefthook validate + YAML parse) runs on this PR.

Monitoring adopts it as the reference caller in a companion PR.

🤖 Generated with Claude Code

GitGuardian is currently GitHub-App-only (retroactive dashboard alerts).
Add ggshield as a pre-merge gate so leaks are caught before they land,
backed by the same GitGuardian dashboard/policy:

- ggshield-scan.yml: reusable workflow_call, GitGuardian/ggshield-action
  over the pushed/PR commit range; requires org secret GITGUARDIAN_API_KEY
  (callers pass secrets: inherit).
- lefthook/base.yml: ggshield pre-commit command alongside gitleaks;
  self-skips when ggshield isn't installed/authenticated so it never wedges
  a dev without a token (advisory — gitleaks stays the offline net).
- README: document both.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@cshuttle cshuttle merged commit a534066 into main Jul 5, 2026
7 checks passed
@cshuttle cshuttle deleted the feat/ggshield-secret-scan branch July 5, 2026 01:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant