Closed
Conversation
In-18383 | @jgonzalez-ae | Fixing vulnerabilities via audit fix.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ticket:
PE-875
Description
We have various secrets/keys embedded in our sources. This GH workflow scans PR's for secrets to prevent any more from accumulating. We will handle existing ones as a next step.
When a PR contains a secret, this workflow fails and displays the offending code.
It uses this workflow in github-actions: https://github.com/audioeye/github-actions/blob/main/.github/workflows/gitleaks.yml.
How To Test:
The workflow itself has been tested as per below. The import of the workflow has not, as I'm not aware of any way to do so. Ideally the CI/CD on this PR will itself use the workflow and at least verify that it doesn't cause problems.
Passing PR: https://github.com/audioeye/cve_test/pull/39
Failing PR: https://github.com/audioeye/cve_test/pull/38
Failure output:
7:43PM WRN leaks found: 1
Finding: GITHUB_TOKEN=ghp_1234567890abcdef1234567890abcdef1234
Secret: ghp_1234567890abcdef1234567890abcdef1234
RuleID: github-pat
Entropy: 4.246439
File: src/keyleak.js
Line: 7
Commit: 94b7b660a826140bd1267588aa0c6d0759708479
Date: 2026-02-11T19:42:31Z
Fingerprint: 94b7b660a826140bd1267588aa0c6d0759708479:src/keyleak.js:github-pat:7
Link: https://github.com/audioeye/cve_test/blob/94b7b660a826140bd1267588aa0c6d0759708479/src/keyleak.js#L7
Breaking Changes:
None.