Skip to content

Add CodeQL and secret scanning CI gates#56

Merged
negillett merged 5 commits into
mainfrom
add-codeql-gitleaks-gates
May 22, 2026
Merged

Add CodeQL and secret scanning CI gates#56
negillett merged 5 commits into
mainfrom
add-codeql-gitleaks-gates

Conversation

@negillett
Copy link
Copy Markdown
Member

@negillett negillett commented May 21, 2026

Summary

  • Adds Python CodeQL analysis with intentproof-extra pack, gitleaks, and pre-commit.

Test plan

  • Workflow validation pending on PR

Review

No blocking internal review findings.

Manual steps (org settings)

Enable GitHub Advanced Security and secret-scanning push protection for this
repository in IntentProof organization settings. These cannot be set via code.

Add CodeQL and secret scanning CI gates
1c5050a 
Wire gitleaks, allowlist expiry checks, and CodeQL analysis.

Signed-off-by: Nathan Gillett <nathangillett@Nathans-MacBook-Pro.local>
@cursor
Copy link
Copy Markdown

cursor Bot commented May 21, 2026
edited
Loading

PR Summary

Low Risk
Low runtime risk since changes are CI/config only, but it may newly fail PRs due to CodeQL findings, expired allowlist entries, or detected secrets.

Overview
Introduces a new codeql GitHub Actions workflow that runs on pushes/PRs and on a schedule, performing Python CodeQL analysis and uploading security results.

Adds a CodeQL finding allowlist file (.github/codeql-allowlist.yml) plus a CI gate (scripts/check-codeql-allowlist.sh) that fails when allowlist entries are missing/invalid/expired.

Adds gitleaks secret scanning in CI and a matching local pre-commit hook, with repository-specific allowlists in .gitleaks.toml to reduce false positives.

Reviewed by Cursor Bugbot for commit f4b2fbe. Bugbot is set up for automated code reviews on this repo. Configure here.

@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented May 21, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

cursor[bot]
cursor Bot reviewed May 21, 2026
View reviewed changes
Comment thread .gitleaks.toml
Comment thread .github/workflows/codeql.yml Outdated
fix: use gitleaks CLI and valid allowlist config
f82149b 
Replace gitleaks-action (org license required) with pinned
v8.24.2 CLI matching pre-commit. Fix allowlist.regexTarget
TOML and allowlist Ed25519 type-name false positives.

Signed-off-by: Nathan Gillett <nathan@intentproof.io>
cursor[bot]
cursor Bot reviewed May 21, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit f82149b. Configure here.

Comment thread scripts/check-codeql-allowlist.sh
Nathan Gillett added 3 commits May 21, 2026 09:09
Align security gates with intentproof-tools template
533df04 
Use gitleaks-action, local allowlist script, and tools ref
552da9d for javascript custom queries where applicable.

Signed-off-by: Nathan Gillett <nathan@intentproof.io>
fix: align Wave 3 security gates with tools template
609bce7 
Use pinned gitleaks CLI, flatten allowlist TOML, and harden
the allowlist expiry parser. Point JS CodeQL at the split pack.

Signed-off-by: Nathan Gillett <nathan@intentproof.io>
fix: allowlist SDK module-state false positive in gitleaks
f4b2fbe 
Skip the _instance_private_key type annotation pattern that triggers
generic-api-key on client.py.

Signed-off-by: Nathan Gillett <nathan@intentproof.io>
@negillett negillett merged commit c4df3ff into main May 22, 2026
7 checks passed
@negillett negillett deleted the add-codeql-gitleaks-gates branch May 22, 2026 00:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@negillett @github-advanced-security