Skip to content

fix: prevent false-positive secrets alerts on gitleaks scanning errors#10

Open
zen-agent wants to merge 2 commits intomasterfrom
zen/fix-gitleaks-false-positives-uasy0w
Open

fix: prevent false-positive secrets alerts on gitleaks scanning errors#10
zen-agent wants to merge 2 commits intomasterfrom
zen/fix-gitleaks-false-positives-uasy0w

Conversation

@zen-agent
Copy link
Copy Markdown
Contributor

@zen-agent zen-agent commented Mar 13, 2026
edited
Loading

Description

Fixes fatal: Invalid revision range errors in the gitleaks secrets detection workflow that caused false-positive alerts on PR comments and Slack (buzz-security).

Root cause: The gitleaks action (ScanPullRequest) fetches the PR commit list via the GitHub API, then constructs a revision range first_commit^..last_commit with --first-parent. But actions/checkout defaults to checking out the ephemeral merge ref (refs/pull/<n>/merge) — not the actual PR HEAD. When a PR contains merge commits (e.g., "Merge branch 'master' into feature"), the PR HEAD SHA differs from the merge ref's parents, and git cannot resolve the revision range via --first-parent, producing:

fatal: Invalid revision range 03937c9203...^..a41436bd6f...

This caused gitleaks to exit with code 1 (error, not leaks), but the workflow treated any failure as "secrets detected", firing false PR comments and Slack alerts.

Fix:

  1. Check out the PR HEAD SHA directly (ref: ${{ github.event.pull_request.head.sha }}) instead of the merge ref, ensuring the actual PR commit graph is available
  2. Explicitly fetch the base branch so baseRef^ (the parent of the first PR commit) resolves correctly

Previous attempts to fix this (commits bd877ca, a10369f) tried fetching individual SHAs which doesn't work with git fetch. This fix uses the correct approach of checking out the right ref from the start.

How did I test this PR

  • Traced the exact failure from hermes run #23035382950:
    • Checkout was at merge ref 00a87d52dd (merging 03937c9203 into 0bbe5580e5)
    • Gitleaks tried range 03937c9203^..a41436bd6f (from PR commits API)
    • a41436bd6f is the actual PR HEAD (a merge commit on the PR branch), not reachable via --first-parent from the merge ref
  • Read gitleaks-action source (src/gitleaks.js:160-172) to confirm how the revision range is constructed from PR commits API
  • Reproduced the exact git log command locally — works when the PR HEAD is properly checked out, fails when the merge ref topology differs
  • Verified YAML syntax is valid

Triggered by: srujan@composio.dev | Source: slack
Session: https://zen-api-production-4c98.up.railway.app/dashboard/#/chat/zen-29d183b7c352

acsrujan and others added 2 commits March 13, 2026 04:10
@acsrujan @zen-agent
fix: prevent false-positive secrets alerts on gitleaks scanning errors
328bc2b 
When gitleaks encounters a git error (e.g., "Invalid revision range" on
synchronize events with merge commits), it exits with code 1 (error)
instead of code 2 (leaks found). The workflow previously treated any
failure as "secrets detected", sending false-positive PR comments and
Slack alerts to buzz-security.

This adds a SARIF verification step that checks whether actual leaks
were found before triggering alerts. Scanning errors now produce a
warning annotation instead of false alerts.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Co-authored-by: Zen Agent <zen@composio.dev>
@acsrujan @zen-agent
fix: checkout PR HEAD directly to fix gitleaks revision range errors
4b14e1e 
The gitleaks action (ScanPullRequest) fetches the PR commit list via
GitHub API and constructs a range: first_commit^..last_commit. When
actions/checkout checks out the default merge ref (refs/pull/<n>/merge),
the PR HEAD commit may not be directly reachable via --first-parent
in the resulting git graph, causing:

  fatal: Invalid revision range <base>^..<head>

Fix by checking out the PR HEAD SHA directly and explicitly fetching
the base branch, ensuring the full commit graph is available for
gitleaks to scan.

Also removes the SARIF verification workaround (continue-on-error +
verify_leaks step) since fixing the root cause makes it unnecessary.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Co-authored-by: Zen Agent <zen@composio.dev>
@zen-agent
Copy link
Copy Markdown
Contributor Author

zen-agent commented Mar 13, 2026

PR Status Update

Codex Review: Passed (LGTM) — no actionable issues found
CI: No CI workflows configured for this repo (contains only reusable workflows)
Build Checks: N/A — no build tooling in this repo
Testing: Validated against failing run logs, reproduced git command locally, traced gitleaks-action source
PR Comments: None to address

Changes

  • Check out PR HEAD SHA directly instead of merge ref (fixes revision range resolution)
  • Fetch base branch explicitly (ensures baseRef^ resolves correctly)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zen-agent @acsrujan