SECOPS-2268: Add Gitleaks to CI (#7755)

## Motivation / Implements This PR adds the necessary files to configure [Gitleaks](https://github.com/gitleaks/gitleaks) to run on PRs on this repo. The Apollo Security team uses Gitleaks to test our repositories for secrets. Once this is accepted and merged, the Security team plans to make a passing Gitleaks check a requirement for PRs to merge into this repo. This will prevent secrets from being introduced to our repos. In the event that a secret _is_ detected on a repo, the CI job will add a comment to the PR associated with the detection to provide instructions on how to properly resolve the detection. Additionally, if a secret is detected, the Apollo Security team will be notified so that we can be available to assist in resolving the detection. If maintainers reviewing this PR have questions, please see this [Apollo-internal Slack link](https://apollograph.slack.com/archives/C03HCCJBAJC/p1696261536123059). ## Changed - Added `.circleci/config.yml` to this repo. This file contains appropriate configuration to enable Gitleaks as a CI check.
apollographql · Oct 12, 2023 · 252cb38 · 252cb38
1 parent dbad90f
commit 252cb38
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -2,6 +2,7 @@ version: 2.1
 
 orbs:
   node: circleci/[email protected]
+  secops: apollo/[email protected]
 
 commands:
   install-volta:
@@ -151,3 +152,12 @@ workflows:
       - Smoke test built package
       - Full incremental delivery tests with graphql-js 17 canary
       - Changesets
+  security-scans:
+    jobs:
+      - secops/gitleaks:
+          context:
+            - platform-docker-ro
+            - github-orb
+            - secops-oidc
+          git-base-revision: <<#pipeline.git.base_revision>><<pipeline.git.base_revision>><</pipeline.git.base_revision >>
+          git-revision: << pipeline.git.revision >>