Problem
The leak-prevention guard (FEAT-2026-0020) covers git commits only. GitHub issue and PR descriptions/comments are a separate public surface the pre-commit hook cannot scan. This is exactly where leaks landed during FEAT-2026-0020: the T04 sweep redacted 12 issue/PR bodies, and a example-iac reference reached PR #43's body afterward (caught only by a manual pre-flip sweep).
Proposal
A scheduled / issues+pull_request-triggered GitHub Action that runs the leak_scan patterns (structural + hashed denylist; see the hashed-denylist issue) over issue/PR titles, bodies, and comments, and fails / comments on a hit. Note: GitHub retains edit history of bodies, so the Action stops new leaks but cannot expunge already-published revisions — that remains a delete+recreate / GitHub-Support operation.
Acceptance
- Action flags a planted private string in an issue/PR body on open/edit.
- Clean bodies pass.
- Documented limitation: edit-history is not expunged by this guard.
Surfaced by FEAT-2026-0020 review.
Problem
The leak-prevention guard (FEAT-2026-0020) covers git commits only. GitHub issue and PR descriptions/comments are a separate public surface the pre-commit hook cannot scan. This is exactly where leaks landed during FEAT-2026-0020: the T04 sweep redacted 12 issue/PR bodies, and a
example-iacreference reached PR #43's body afterward (caught only by a manual pre-flip sweep).Proposal
A scheduled /
issues+pull_request-triggered GitHub Action that runs theleak_scanpatterns (structural + hashed denylist; see the hashed-denylist issue) over issue/PR titles, bodies, and comments, and fails / comments on a hit. Note: GitHub retains edit history of bodies, so the Action stops new leaks but cannot expunge already-published revisions — that remains a delete+recreate / GitHub-Support operation.Acceptance
Surfaced by FEAT-2026-0020 review.