ci: Add secrets detector

[chtruong814]

What does this PR do ?

ci: Add secrets detector

Changelog

• Add specific line by line info of high level changes in this PR.

GitHub Actions CI

See the CI sectionin the Contributing doc for how to trigger the CI. A Nvidia developer will need to approve and trigger the CI for external contributors.

Before your PR is "Ready for review"

Pre checks:

• Make sure you read and followed Contributor guidelines
• Did you write any new necessary tests?
• Did you add or update any necessary documentation?
• Does the PR affect components that are optional to install? (Ex: Numba, Pynini, Apex etc)
  • Reviewer: Does the PR have correct import guards for all optional libraries?

If you haven't finished some of the above items you can still open "Draft" PR.

Additional Information

• Related to # (issue)

Summary by CodeRabbit

• Chores
  • Set up automated secret detection scanning within the continuous integration pipeline to strengthen security oversight and reduce the risk of sensitive information exposure.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes introduce secret detection infrastructure to the repository by adding a detect-secrets baseline configuration file and a GitHub Actions workflow configured to run secret detection on pull requests using an external reusable CI workflow template.

Changes

Cohort / File(s)	Summary
Secret Detection Infrastructure .github/workflows/detect-secrets.yml, .github/workflows/config/.secrets.baseline	Introduces GitHub Actions workflow for automated secret detection on pull requests and a baseline configuration file specifying detection plugins, filters, and known secrets across the codebase.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: adding a secrets detector to CI configuration. It directly maps to the two new files introduced (.secrets.baseline and detect-secrets.yml workflow).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Test Results For Major Changes	✅ Passed	Changes are minor infrastructure additions (CI/workflow files) for secrets detection that do not impact code behavior or performance.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chtruong/detect-secrets

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/config/.secrets.baseline:
- Around line 136-143: The JSON entry with "type": "Secret Keyword" and
"hashed_secret": "0de7d8c7d76191fdcb236d3c62be9adf20424ca2" that corresponds to
the line containing GH_TOKEN=${{ secrets.PAT }} is missing the audit flag; add
the property "is_secret": false to that object (same shape as other detected
entries) so the record is marked audited and treated as a false positive.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check line 284 in cicd-main.yml
echo "=== Content around line 284 in cicd-main.yml ==="
sed -n '280,290p' .github/workflows/cicd-main.yml 2>/dev/null || echo "File not found or error reading"

# Also check if the file exists and its total line count
echo ""
echo "=== File info ==="
if [ -f .github/workflows/cicd-main.yml ]; then
  wc -l .github/workflows/cicd-main.yml
else
  echo "File does not exist"
fi

Repository: NVIDIA-NeMo/Megatron-Bridge

Length of output: 674

---

🏁 Script executed:

#!/bin/bash
# Examine the .secrets.baseline to verify the claim about is_secret flag
echo "=== Checking entries in .secrets.baseline for is_secret flag ==="
jq '.results[] | {file: .filename, has_is_secret: (has("is_secret")), is_secret_value: .is_secret}' .github/workflows/config/.secrets.baseline 2>/dev/null | head -50

echo ""
echo "=== Count of entries with and without is_secret flag ==="
jq '[.results[] | has("is_secret")] | group_by(.) | map({has_flag: .[0], count: length})' .github/workflows/config/.secrets.baseline 2>/dev/null

Repository: NVIDIA-NeMo/Megatron-Bridge

Length of output: 193

---

🏁 Script executed:

#!/bin/bash
# Find the specific entry for cicd-main.yml and compare with others
echo "=== Entry for cicd-main.yml ==="
jq '.results[] | select(.filename == ".github/workflows/cicd-main.yml")' .github/workflows/config/.secrets.baseline 2>/dev/null

echo ""
echo "=== Sample entries from other files to compare ==="
jq '.results[] | select(.filename != ".github/workflows/cicd-main.yml") | {filename, line_number, is_secret} | select(.is_secret != null)' .github/workflows/config/.secrets.baseline 2>/dev/null | head -20

Repository: NVIDIA-NeMo/Megatron-Bridge

Length of output: 154

---

🏁 Script executed:

#!/bin/bash
# Read the .secrets.baseline file directly to understand its structure
echo "=== First 50 lines of .secrets.baseline ==="
head -50 .github/workflows/config/.secrets.baseline

echo ""
echo "=== Lines 130-150 of .secrets.baseline (around the cicd-main.yml entry) ==="
sed -n '130,150p' .github/workflows/config/.secrets.baseline

Repository: NVIDIA-NeMo/Megatron-Bridge

Length of output: 1637

---

🏁 Script executed:

#!/bin/bash
# Check for is_secret field in the file with grep
echo "=== Occurrences of is_secret field ==="
grep -n "is_secret" .github/workflows/config/.secrets.baseline | head -20

echo ""
echo "=== Total number of secret entries ==="
grep -c '"type": "Secret' .github/workflows/config/.secrets.baseline

echo ""
echo "=== Check structure around cicd-main.yml entry ==="
sed -n '135,145p' .github/workflows/config/.secrets.baseline

Repository: NVIDIA-NeMo/Megatron-Bridge

Length of output: 832

---

🏁 Script executed:

#!/bin/bash
# Get all entries to see the complete pattern
echo "=== All entries in results section ==="
sed -n '135,240p' .github/workflows/config/.secrets.baseline | grep -E '(filename|is_secret|line_number)' | head -30

Repository: NVIDIA-NeMo/Megatron-Bridge

Length of output: 1299

---

Add missing audit flag to unaudited secret entry.

The entry for .github/workflows/cicd-main.yml at line 284 is missing the "is_secret": false flag that all other detected entries have. This indicates it has not been audited.

Line 284 contains GH_TOKEN=${{ secrets.PAT }}, which is a GitHub Actions secret reference and a false positive. Add "is_secret": false to mark it as audited.

Proposed fix

     ".github/workflows/cicd-main.yml": [
       {
         "type": "Secret Keyword",
         "filename": ".github/workflows/cicd-main.yml",
         "hashed_secret": "0de7d8c7d76191fdcb236d3c62be9adf20424ca2",
         "is_verified": false,
-        "line_number": 284
+        "line_number": 284,
+        "is_secret": false
       }
     ],

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	".github/workflows/cicd-main.yml": [
	{
	"type": "Secret Keyword",
	"filename": ".github/workflows/cicd-main.yml",
	"hashed_secret": "0de7d8c7d76191fdcb236d3c62be9adf20424ca2",
	"is_verified": false,
	"line_number": 284
	}
	".github/workflows/cicd-main.yml": [
	{
	"type": "Secret Keyword",
	"filename": ".github/workflows/cicd-main.yml",
	"hashed_secret": "0de7d8c7d76191fdcb236d3c62be9adf20424ca2",
	"is_verified": false,
	"line_number": 284,
	"is_secret": false
	}

🧰 Tools

🪛 Gitleaks (8.30.0)

[high] 140-140: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🤖 Prompt for AI Agents

In @.github/workflows/config/.secrets.baseline around lines 136 - 143, The JSON
entry with "type": "Secret Keyword" and "hashed_secret":
"0de7d8c7d76191fdcb236d3c62be9adf20424ca2" that corresponds to the line
containing GH_TOKEN=${{ secrets.PAT }} is missing the audit flag; add the
property "is_secret": false to that object (same shape as other detected
entries) so the record is marked audited and treated as a false positive.