feat(security): built-in secret scanning (replace gitleaks CI workflow) #692

Closed
opened 2026-06-23 18:03:43 +00:00 by jmiller · 0 comments
Owner

Summary

Replace the external gitleaks CI workflow with a built-in MokoGitea secret scanning feature. Secrets should be detected on push/PR at the server level, not as a per-repo workflow dependency.

Current State

  • gitleaks runs as a CI workflow (.mokogitea/workflows/gitleaks.yml)
  • Requires Docker, runs on every push, adds CI time
  • Each repo must have the workflow file synced
  • Results only visible in workflow logs

Desired Behavior

  • Server-side hook scans commits on push for secret patterns
  • Block push or flag warning (configurable per org/repo)
  • Results visible in PR review UI (inline annotations on leaked lines)
  • Admin settings page to configure patterns, allowlist, severity
  • No per-repo workflow needed — works automatically for all repos

Implementation Options

  1. Pre-receive hook: Scan diff on push, reject if secrets found
  2. Post-receive async: Scan after push, create issue/comment with findings
  3. PR integration: Scan PR diff, add review comments on leaked lines

Patterns to Detect

  • API keys (AWS, GCP, Azure, generic)
  • Private keys (RSA, SSH, PGP)
  • Tokens (GitHub, GitLab, Gitea, npm, PyPI)
  • Database connection strings
  • High-entropy strings (configurable threshold)
  • Custom org-defined patterns

References

  • gitleaks — current external tool
  • Related to #552 (code security analysis scanner module)
## Summary Replace the external `gitleaks` CI workflow with a built-in MokoGitea secret scanning feature. Secrets should be detected on push/PR at the server level, not as a per-repo workflow dependency. ## Current State - `gitleaks` runs as a CI workflow (`.mokogitea/workflows/gitleaks.yml`) - Requires Docker, runs on every push, adds CI time - Each repo must have the workflow file synced - Results only visible in workflow logs ## Desired Behavior - Server-side hook scans commits on push for secret patterns - Block push or flag warning (configurable per org/repo) - Results visible in PR review UI (inline annotations on leaked lines) - Admin settings page to configure patterns, allowlist, severity - No per-repo workflow needed — works automatically for all repos ## Implementation Options 1. **Pre-receive hook**: Scan diff on push, reject if secrets found 2. **Post-receive async**: Scan after push, create issue/comment with findings 3. **PR integration**: Scan PR diff, add review comments on leaked lines ## Patterns to Detect - API keys (AWS, GCP, Azure, generic) - Private keys (RSA, SSH, PGP) - Tokens (GitHub, GitLab, Gitea, npm, PyPI) - Database connection strings - High-entropy strings (configurable threshold) - Custom org-defined patterns ## References - [gitleaks](https://github.com/gitleaks/gitleaks) — current external tool - Related to #552 (code security analysis scanner module)
Sign in to join this conversation.