Skip to content

Copy secrets scanner check to other repos #139

Open
Open
Copy secrets scanner check to other repos#139
Labels
adminProject maintenance, dependency updates, or housekeepingdevopsCI/CD, deployment, infrastructure, or tooling worksecuritySecurity fixes, audits, or vulnerability remediation

Description

@vredchenko
vredchenko
opened on Jan 25, 2026

smartem-decisions is not the only repo with secrets - instrument other repos with secret scanning. And look into which tool would work best:

Evaluate replacing detect-secrets with gitleaks

Context

Currently using detect-secrets with a comprehensive baseline workflow in smartem-decisions. Consider whether gitleaks would be a better fit.

Comparison

Aspect detect-secrets (current) gitleaks
Workflow complexity ~150 lines ~15 lines
Git history scanning Limited (workflow admits this) Native, comprehensive
Speed Slower (Python, pip install) Fast (Go binary)
SARIF output No Yes (GitHub Security tab)
Baseline workflow Yes - tracks known secrets Via .gitleaksignore
Auto-maintenance PR Yes (nice feature) Would need custom workflow
Unaudited secrets check Yes - forces review No equivalent

Arguments for Keeping detect-secrets

  • Already working - migration has cost
  • Baseline workflow good if legacy secrets exist that can't be removed
  • Auto-maintenance PR is useful for team workflows
  • Unaudited check forces human review of each finding

Arguments for Switching to gitleaks

  • Dramatically simpler (less code to maintain)
  • Better git history scanning (current workflow literally says "consider gitleaks")
  • Faster CI runs
  • Native GitHub Security tab integration
  • Consistency across repos (ching-ching uses gitleaks)

Decision Criteria

Keep detect-secrets if:

  • Multiple contributors benefit from review ceremony
  • Have actual secrets in history that can't be removed
  • Auto-PR maintenance feature is actively useful

Switch to gitleaks if:

  • Small team / solo development
  • Baseline audits are rubber-stamped anyway
  • Want consistency across repos
  • Prefer simpler maintenance

Tasks

  • Audit whether baseline workflow is providing real value
  • Check if any secrets in history require baseline approach
  • If switching: create gitleaks workflow + .gitleaks.toml
  • If switching: remove .secrets.baseline and detect-secrets workflow

Metadata

Metadata

Assignees

No one assigned

    Labels

    adminProject maintenance, dependency updates, or housekeepingdevopsCI/CD, deployment, infrastructure, or tooling worksecuritySecurity fixes, audits, or vulnerability remediation

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions