Skip to content

fix(secrets-scan): fail-closed on public repo (fail-on-findings: true)#79

Merged
nsportsman merged 1 commit into
mainfrom
fix/secrets-scan-fail-closed-public
Jun 2, 2026
Merged

fix(secrets-scan): fail-closed on public repo (fail-on-findings: true)#79
nsportsman merged 1 commit into
mainfrom
fix/secrets-scan-fail-closed-public

Conversation

@nsportsman

Copy link
Copy Markdown
Contributor

Why

This is a public repository. A secret committed here is world-readable and
search-indexed the instant it lands — by the time it surfaces in the Security
tab, rotation is the only remedy left.

Today this caller runs the Titus secret scanner in observe-only mode
(fail-on-findings defaults to false in the reusable), so a detected secret
does not fail CI on push:main or PR. For public repos the correct posture
is fail-closed — consistent with GitHub making push-protection default-on
for public repos.

Change

Add with: { fail-on-findings: true } to the calling job. A Titus hit now
breaks the build. upload-sarif stays true (GHAS is free on public repos),
so we keep Security-tab tracking and gain blocking.

No change to the pinned reusable SHA or permissions. (Pin-comment hygiene — the
# v2.2.1 label over an untagged SHA — is tracked as a separate follow-up.)

🤖 Generated with Claude Code

@coderabbitai

coderabbitai Bot commented Jun 2, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@nsportsman, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 30 minutes and 11 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 12454bf5-82fb-421b-b5eb-0361a557aa8e

📥 Commits

Reviewing files that changed from the base of the PR and between 4fd5bd7 and 2c2a9dd.

📒 Files selected for processing (1)
  • .github/workflows/secrets-scan.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/secrets-scan-fail-closed-public

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

github-actions Bot commented Jun 2, 2026

Copy link
Copy Markdown

Gemini review skipped — non-code PR (only changed files matching docs/**, .github/**, .claude-plugin/**, *.md, *.txt, images, or license-like files). Post @gemini on a review comment to force a review.

@github-actions

github-actions Bot commented Jun 2, 2026

Copy link
Copy Markdown

Claude review skipped — non-code PR (only changed files matching docs/**, .github/**, .claude-plugin/**, *.md, *.txt, images, or license-like files). Post @claude on a review comment to force a review.

@github-actions

github-actions Bot commented Jun 2, 2026

Copy link
Copy Markdown

Codex review skipped — non-code PR (only changed files matching docs/**, .github/**, .claude-plugin/**, *.md, *.txt, images, or license-like files). Post @codex on a review comment to force a review.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2c2a9dd554

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

actions: read
pull-requests: read
with:
fail-on-findings: true

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Don't leave docs-only PRs outside enforcement

This only makes Titus fail when the reusable workflow actually runs, but I checked the pinned titus-scan.yml and its preflight sets should_scan=false for PRs whose changed files are all *.md, *.txt, images, LICENSE, or under docs/. In those PRs, fail-on-findings is never evaluated, so a secret added to README.md or docs/... can still pass the PR checks in this public repo and only be discovered after merge by the push/scheduled scan. If the goal is fail-closed on secret introductions, the caller needs a workflow/version/path that scans those PRs too.

Useful? React with 👍 / 👎.

@nsportsman nsportsman merged commit b686407 into main Jun 2, 2026
20 checks passed
@nsportsman nsportsman deleted the fix/secrets-scan-fail-closed-public branch June 2, 2026 22:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant