Skip to content

test: add gitleaks smoke test for secret detection#677

Open
mvillmow wants to merge 3 commits into
mainfrom
487-auto-impl
Open

test: add gitleaks smoke test for secret detection#677
mvillmow wants to merge 3 commits into
mainfrom
487-auto-impl

Conversation

@mvillmow

@mvillmow mvillmow commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

Summary

Add a smoke test that verifies gitleaks CI job fails on a branch containing a dummy secret matching a gitleaks rule, confirming end-to-end behavior of secret detection before merging.

Changes

  • Added gitleaks smoke test in tests/test_workflow_secrets_scan.py to validate CI job failure on secret detection
  • Updated coverage.xml with test results

Testing

  • Smoke test verifies gitleaks job detects and fails on known-bad secret string
  • Confirms end-to-end CI behavior rather than relying on static review alone

Closes

Closes #487

Generated by Claude Code via ProjectHephaestus automation.

mvillmow
mvillmow commented Jun 21, 2026
View reviewed changes

@mvillmow mvillmow left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NOGO: coverage.xml build artifact (855 lines, absolute path, not gitignored) committed; unrelated to #487. Also allowlist test uses fullmatch vs gitleaks' search semantics.

Comment thread coverage.xml Outdated
Comment thread tests/test_workflow_secrets_scan.py Outdated
@mvillmow mvillmow enabled auto-merge (squash) June 28, 2026 15:41
mvillmow and others added 3 commits June 28, 2026 09:18
@mvillmow @claude
test: add gitleaks smoke test for secret detection
d1356a3 
Add integration test to verify gitleaks job fails when a branch contains secrets matching configured rules. Confirms end-to-end detection behavior as a follow-up to #335.

Closes #487

Implemented-By: claude-sonnet-4-6
Co-Authored-By: Claude Code <noreply@anthropic.com>
Signed-off-by: Claude Haiku 4.5 <4211002+mvillmow@users.noreply.github.com>
Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
@mvillmow
chore: remove committed coverage.xml build artifact and gitignore it
b27df08 
Generated coverage report should not be in version control (churns on every
test run, leaks absolute local paths). Addresses review feedback.

Signed-off-by: Claude Haiku 4.5 <4211002+mvillmow@users.noreply.github.com>
Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
@mvillmow
test: mirror gitleaks unanchored allowlist match with re.search
cf52776 
Gitleaks evaluates allowlist.paths as unanchored Go regexp.MatchString
searches, so use re.search instead of re.fullmatch to correctly guard
against a root-covering pattern (e.g. a future 'txt' or '.*smoke.*' entry).
Addresses review feedback.

Signed-off-by: Claude Haiku 4.5 <4211002+mvillmow@users.noreply.github.com>
Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

state:implementation-no-go

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Test the gitleaks job with a known-bad branch before merging

1 participant

@mvillmow