P5.AGG.002 — Repository runs a secret scanner in CI¶
| Field | Value |
|---|---|
| Principle | P5 Aggregation of danger |
| Severity | warn |
| Evidence | strong |
| Stability | experimental |
What it checks¶
Fires when the repo has CI configuration but no secret-scanning tool is detected in the CI pipeline.
Recognized scanners¶
The rule looks for these keywords in CI file paths:
- gitleaks — git history and file scanning
- trufflehog — regex + entropy-based scanning
- detect-secrets — pre-commit and CI scanner by Yelp
- secretlint — pluggable secret linter
- talisman — pre-push hook by ThoughtWorks
- git-secrets — AWS-originated pre-commit hook
Detection method¶
CI files are identified by path prefix (.github/workflows/, .circleci/,
.buildkite/) or exact name (.gitlab-ci.yml, Jenkinsfile, etc.). The
rule checks whether any CI file path contains a scanner keyword (e.g.,
.github/workflows/gitleaks.yml).
When to suppress¶
If the repo uses a scanner not in the keyword list, or uses a platform-native scanner (e.g., GitHub Advanced Security secret scanning), add an ignore entry: