fix(secrets-scan): fail-closed on public repo (fail-on-findings: true)#79
Conversation
|
Warning Review limit reached
More reviews will be available in 30 minutes and 11 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
Gemini review skipped — non-code PR (only changed files matching |
|
Claude review skipped — non-code PR (only changed files matching |
|
Codex review skipped — non-code PR (only changed files matching |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2c2a9dd554
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| actions: read | ||
| pull-requests: read | ||
| with: | ||
| fail-on-findings: true |
There was a problem hiding this comment.
Don't leave docs-only PRs outside enforcement
This only makes Titus fail when the reusable workflow actually runs, but I checked the pinned titus-scan.yml and its preflight sets should_scan=false for PRs whose changed files are all *.md, *.txt, images, LICENSE, or under docs/. In those PRs, fail-on-findings is never evaluated, so a secret added to README.md or docs/... can still pass the PR checks in this public repo and only be discovered after merge by the push/scheduled scan. If the goal is fail-closed on secret introductions, the caller needs a workflow/version/path that scans those PRs too.
Useful? React with 👍 / 👎.
Why
This is a public repository. A secret committed here is world-readable and
search-indexed the instant it lands — by the time it surfaces in the Security
tab, rotation is the only remedy left.
Today this caller runs the Titus secret scanner in observe-only mode
(
fail-on-findingsdefaults tofalsein the reusable), so a detected secretdoes not fail CI on
push:mainor PR. For public repos the correct postureis fail-closed — consistent with GitHub making push-protection default-on
for public repos.
Change
Add
with: { fail-on-findings: true }to the calling job. A Titus hit nowbreaks the build.
upload-sarifstaystrue(GHAS is free on public repos),so we keep Security-tab tracking and gain blocking.
No change to the pinned reusable SHA or permissions. (Pin-comment hygiene — the
# v2.2.1label over an untagged SHA — is tracked as a separate follow-up.)🤖 Generated with Claude Code