ci: fix Gitleaks — PR mode scans only PR commits, not full history

sanchitmonga22 · claude · sanchitmonga22 · commit 2f0561efebcd · 2026-04-16T15:42:34.000-07:00
The baseline approach (scanning full history + skipping known findings)
was fragile: CI's merge-checkout includes commits that differ from the
local clone used to generate the baseline, causing 2 unmatched
fingerprints.

Better architecture:
- PR mode: `gitleaks detect --log-opts="base_sha..HEAD"` scans ONLY
  the commits in the PR. Historical secrets are naturally ignored since
  they were introduced in older commits not in the PR's range.
- Push-to-main mode: `--log-opts="before..HEAD"` scans only the pushed
  commits. Falls back to baseline if the before-SHA is unavailable
  (e.g. new branch push).

This matches how professional secret scanning works: check what's new,
not what's old. The .gitleaksbaseline is kept for the push-to-main
fallback path.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
@@ -3,14 +3,17 @@ name: Secret Scanning
 # =============================================================================
 # Gitleaks Secret Scanning Workflow
 #
-# Scans every push to main and every pull request for leaked secrets,
-# API keys, tokens, and internal URLs. Uses the project-level
-# .gitleaks.toml for RunAnywhere-specific patterns on top of gitleaks'
-# built-in detectors.
+# Scans for leaked secrets, API keys, tokens, and internal URLs.
+# Uses the project-level .gitleaks.toml for RunAnywhere-specific patterns.
 #
-# Uses the gitleaks CLI directly (MIT-licensed, free for all) instead of
-# gitleaks-action@v2 which requires a paid license for organization
-# accounts.
+# Strategy:
+#   - Pull requests: scan ONLY the PR's commits (not full history). Catches
+#     new secrets without tripping on the 49 known historical findings.
+#   - Push to main: scan the pushed commits with a baseline file so known
+#     findings are skipped and only genuinely new leaks fail CI.
+#
+# Uses gitleaks CLI directly (MIT-licensed, free) instead of
+# gitleaks-action@v2 which requires a paid license for organizations.
 # =============================================================================
 
 on:
@@ -40,10 +43,32 @@ jobs:
           gitleaks version
 
       - name: Run Gitleaks
+        env:
+          EVENT_NAME: ${{ github.event_name }}
         run: |
-          ARGS="--source . --redact --verbose"
-          # Use project config if present
-          [ -f .gitleaks.toml ] && ARGS="$ARGS --config .gitleaks.toml"
-          # Use baseline file to ignore known historical findings (only flag NEW leaks)
-          [ -f .gitleaksbaseline ] && ARGS="$ARGS --baseline-path .gitleaksbaseline"
-          gitleaks detect $ARGS
+          CONFIG_ARG=""
+          [ -f .gitleaks.toml ] && CONFIG_ARG="--config .gitleaks.toml"
+
+          if [ "$EVENT_NAME" = "pull_request" ]; then
+            # PR mode: only scan the commits in this PR, not full history.
+            # This naturally ignores all historical secrets without needing
+            # a baseline file (which can drift between local and CI clones).
+            echo "PR mode: scanning only PR commits"
+            gitleaks detect --source . $CONFIG_ARG --redact --verbose \
+              --log-opts="${{ github.event.pull_request.base.sha }}..HEAD"
+          else
+            # Push-to-main mode: scan the pushed commits. Fall back to
+            # baseline-based full scan if the before SHA is unavailable.
+            echo "Push mode: scanning pushed commits"
+            BEFORE="${{ github.event.before }}"
+            if [ -n "$BEFORE" ] && [ "$BEFORE" != "0000000000000000000000000000000000000000" ]; then
+              gitleaks detect --source . $CONFIG_ARG --redact --verbose \
+                --log-opts="${BEFORE}..HEAD"
+            elif [ -f .gitleaksbaseline ]; then
+              gitleaks detect --source . $CONFIG_ARG --redact --verbose \
+                --baseline-path .gitleaksbaseline
+            else
+              echo "::warning::No baseline and no before-SHA; running full scan"
+              gitleaks detect --source . $CONFIG_ARG --redact --verbose
+            fi
+          fi
