Skip to content

ci: Add secrets detector #2154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
chtruong814 merged 2 commits into from
Feb 3, 2026
Merged

ci: Add secrets detector #2154

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
137165e
Add secrets detector
chtruong814 Jan 29, 2026
2c27b8a
Update secrets detector
chtruong814 Jan 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
241 changes: 241 additions & 0 deletions .github/workflows/config/.secrets.baseline
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,241 @@
{
"version": "1.5.0",
"plugins_used": [
{
"name": "ArtifactoryDetector"
},
{
"name": "AWSKeyDetector"
},
{
"name": "AzureStorageKeyDetector"
},
{
"name": "Base64HighEntropyString",
"limit": 4.5
},
{
"name": "BasicAuthDetector"
},
{
"name": "CloudantDetector"
},
{
"name": "DiscordBotTokenDetector"
},
{
"name": "GitHubTokenDetector"
},
{
"name": "GitLabTokenDetector"
},
{
"name": "HexHighEntropyString",
"limit": 3.0
},
{
"name": "IbmCloudIamDetector"
},
{
"name": "IbmCosHmacDetector"
},
{
"name": "IPPublicDetector"
},
{
"name": "JwtTokenDetector"
},
{
"name": "KeywordDetector",
"keyword_exclude": ""
},
{
"name": "MailchimpDetector"
},
{
"name": "NpmDetector"
},
{
"name": "OpenAIDetector"
},
{
"name": "PrivateKeyDetector"
},
{
"name": "PypiTokenDetector"
},
{
"name": "SendGridDetector"
},
{
"name": "SlackDetector"
},
{
"name": "SoftlayerDetector"
},
{
"name": "SquareOAuthDetector"
},
{
"name": "StripeDetector"
},
{
"name": "TelegramBotTokenDetector"
},
{
"name": "TwilioKeyDetector"
}
],
"filters_used": [
{
"path": "detect_secrets.filters.allowlist.is_line_allowlisted"
},
{
"path": "detect_secrets.filters.common.is_baseline_file",
"filename": ".github/workflows/config/.secrets.baseline"
},
{
"path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
"min_level": 2
},
{
"path": "detect_secrets.filters.heuristic.is_indirect_reference"
},
{
"path": "detect_secrets.filters.heuristic.is_likely_id_string"
},
{
"path": "detect_secrets.filters.heuristic.is_lock_file"
},
{
"path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
},
{
"path": "detect_secrets.filters.heuristic.is_potential_uuid"
},
{
"path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
},
{
"path": "detect_secrets.filters.heuristic.is_sequential_string"
},
{
"path": "detect_secrets.filters.heuristic.is_swagger_file"
},
{
"path": "detect_secrets.filters.heuristic.is_templated_secret"
},
{
"path": "detect_secrets.filters.regex.should_exclude_file",
"pattern": [
"pyproject\\.toml|\\.github/workflows/config/\\.secrets\\.baseline"
]
}
],
"results": {
".github/workflows/cicd-main.yml": [
{
"type": "Secret Keyword",
"filename": ".github/workflows/cicd-main.yml",
"hashed_secret": "0de7d8c7d76191fdcb236d3c62be9adf20424ca2",
"is_verified": false,
"line_number": 284
}
Comment on lines +136 to +143
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check line 284 in cicd-main.yml
echo "=== Content around line 284 in cicd-main.yml ==="
sed -n '280,290p' .github/workflows/cicd-main.yml 2>/dev/null || echo "File not found or error reading"

# Also check if the file exists and its total line count
echo ""
echo "=== File info ==="
if [ -f .github/workflows/cicd-main.yml ]; then
  wc -l .github/workflows/cicd-main.yml
else
  echo "File does not exist"
fi

Repository: NVIDIA-NeMo/Megatron-Bridge

Length of output: 674

🏁 Script executed:

#!/bin/bash
# Examine the .secrets.baseline to verify the claim about is_secret flag
echo "=== Checking entries in .secrets.baseline for is_secret flag ==="
jq '.results[] | {file: .filename, has_is_secret: (has("is_secret")), is_secret_value: .is_secret}' .github/workflows/config/.secrets.baseline 2>/dev/null | head -50

echo ""
echo "=== Count of entries with and without is_secret flag ==="
jq '[.results[] | has("is_secret")] | group_by(.) | map({has_flag: .[0], count: length})' .github/workflows/config/.secrets.baseline 2>/dev/null

Repository: NVIDIA-NeMo/Megatron-Bridge

Length of output: 193

🏁 Script executed:

#!/bin/bash
# Find the specific entry for cicd-main.yml and compare with others
echo "=== Entry for cicd-main.yml ==="
jq '.results[] | select(.filename == ".github/workflows/cicd-main.yml")' .github/workflows/config/.secrets.baseline 2>/dev/null

echo ""
echo "=== Sample entries from other files to compare ==="
jq '.results[] | select(.filename != ".github/workflows/cicd-main.yml") | {filename, line_number, is_secret} | select(.is_secret != null)' .github/workflows/config/.secrets.baseline 2>/dev/null | head -20

Repository: NVIDIA-NeMo/Megatron-Bridge

Length of output: 154

🏁 Script executed:

#!/bin/bash
# Read the .secrets.baseline file directly to understand its structure
echo "=== First 50 lines of .secrets.baseline ==="
head -50 .github/workflows/config/.secrets.baseline

echo ""
echo "=== Lines 130-150 of .secrets.baseline (around the cicd-main.yml entry) ==="
sed -n '130,150p' .github/workflows/config/.secrets.baseline

Repository: NVIDIA-NeMo/Megatron-Bridge

Length of output: 1637

🏁 Script executed:

#!/bin/bash
# Check for is_secret field in the file with grep
echo "=== Occurrences of is_secret field ==="
grep -n "is_secret" .github/workflows/config/.secrets.baseline | head -20

echo ""
echo "=== Total number of secret entries ==="
grep -c '"type": "Secret' .github/workflows/config/.secrets.baseline

echo ""
echo "=== Check structure around cicd-main.yml entry ==="
sed -n '135,145p' .github/workflows/config/.secrets.baseline

Repository: NVIDIA-NeMo/Megatron-Bridge

Length of output: 832

🏁 Script executed:

#!/bin/bash
# Get all entries to see the complete pattern
echo "=== All entries in results section ==="
sed -n '135,240p' .github/workflows/config/.secrets.baseline | grep -E '(filename|is_secret|line_number)' | head -30

Repository: NVIDIA-NeMo/Megatron-Bridge

Length of output: 1299

Add missing audit flag to unaudited secret entry.

The entry for .github/workflows/cicd-main.yml at line 284 is missing the "is_secret": false flag that all other detected entries have. This indicates it has not been audited.

Line 284 contains GH_TOKEN=${{ secrets.PAT }}, which is a GitHub Actions secret reference and a false positive. Add "is_secret": false to mark it as audited.

Proposed fix 
     ".github/workflows/cicd-main.yml": [
       {
         "type": "Secret Keyword",
         "filename": ".github/workflows/cicd-main.yml",
         "hashed_secret": "0de7d8c7d76191fdcb236d3c62be9adf20424ca2",
         "is_verified": false,
-        "line_number": 284
+        "line_number": 284,
+        "is_secret": false
       }
     ],
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
".github/workflows/cicd-main.yml": [
{
"type": "Secret Keyword",
"filename": ".github/workflows/cicd-main.yml",
"hashed_secret": "0de7d8c7d76191fdcb236d3c62be9adf20424ca2",
"is_verified": false,
"line_number": 284
}
".github/workflows/cicd-main.yml": [
{
"type": "Secret Keyword",
"filename": ".github/workflows/cicd-main.yml",
"hashed_secret": "0de7d8c7d76191fdcb236d3c62be9adf20424ca2",
"is_verified": false,
"line_number": 284,
"is_secret": false
}
🧰 Tools
🪛 Gitleaks (8.30.0)

[high] 140-140: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🤖 Prompt for AI Agents 
In @.github/workflows/config/.secrets.baseline around lines 136 - 143, The JSON
entry with "type": "Secret Keyword" and "hashed_secret":
"0de7d8c7d76191fdcb236d3c62be9adf20424ca2" that corresponds to the line
containing GH_TOKEN=${{ secrets.PAT }} is missing the audit flag; add the
property "is_secret": false to that object (same shape as other detected
entries) so the record is marked audited and treated as a false positive.

],
"CONTRIBUTING.md": [
{
"type": "Secret Keyword",
"filename": "CONTRIBUTING.md",
"hashed_secret": "999d493295471df21f917fdc49321086466edf87",
"is_verified": false,
"line_number": 58,
"is_secret": false
}
],
"docker/manifest.json": [
{
"type": "Hex High Entropy String",
"filename": "docker/manifest.json",
"hashed_secret": "7ae58d0f08b842ce4d8de7c9ae79feca070eb79e",
"is_verified": false,
"line_number": 5,
"is_secret": false
}
],
"scripts/training/launch_with_sbatch.sh": [
{
"type": "Secret Keyword",
"filename": "scripts/training/launch_with_sbatch.sh",
"hashed_secret": "5d961f73a9b6f9dc9884e659e013d76631e13dbf",
"is_verified": false,
"line_number": 87,
"is_secret": false
}
],
"tests/functional_tests/training/test_load_model.py": [
{
"type": "Base64 High Entropy String",
"filename": "tests/functional_tests/training/test_load_model.py",
"hashed_secret": "906b706cb02260b7de67df2a36315ae2fb2ab27d",
"is_verified": false,
"line_number": 41,
"is_secret": false
}
],
"tests/unit_tests/recipes/test_run_plugins.py": [
{
"type": "Secret Keyword",
"filename": "tests/unit_tests/recipes/test_run_plugins.py",
"hashed_secret": "767ef7376d44bb6e52b390ddcd12c1cb1b3902a4",
"is_verified": false,
"line_number": 521,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": "tests/unit_tests/recipes/test_run_plugins.py",
"hashed_secret": "00942f4668670f34c5943cf52c7ef3139fe2b8d6",
"is_verified": false,
"line_number": 882,
"is_secret": false
}
],
"tutorials/data/dclm/data_pipeline.ipynb": [
{
"type": "Base64 High Entropy String",
"filename": "tutorials/data/dclm/data_pipeline.ipynb",
"hashed_secret": "518f01d26deb33a16a9750232754e8950c8fc698",
"is_verified": false,
"line_number": 69,
"is_secret": false
},
{
"type": "Base64 High Entropy String",
"filename": "tutorials/data/dclm/data_pipeline.ipynb",
"hashed_secret": "a307fa66e51942700c4023ae0a4745654e768735",
"is_verified": false,
"line_number": 129,
"is_secret": false
},
{
"type": "Base64 High Entropy String",
"filename": "tutorials/data/dclm/data_pipeline.ipynb",
"hashed_secret": "8bc0e0ae33dd981ff58e4a06e0392c87d1bda9e5",
"is_verified": false,
"line_number": 136,
"is_secret": false
}
],
"tutorials/training/reduced_precision_training.ipynb": [
{
"type": "Base64 High Entropy String",
"filename": "tutorials/training/reduced_precision_training.ipynb",
"hashed_secret": "9e399440a1f7957a428b39d3a61d249f64401780",
"is_verified": false,
"line_number": 122,
"is_secret": false
}
]
},
"generated_at": "2026-01-29T20:01:40Z"
}
21 changes: 21 additions & 0 deletions .github/workflows/detect-secrets.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# Copyright (c) 2026 NVIDIA CORPORATION.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Secrets detector

on:
pull_request:

jobs:
secrets-detector:
uses: NVIDIA-NeMo/FW-CI-templates/.github/workflows/_secrets-detector.yml@v0.70.0
Loading