From 006288deffb5be610159f28d7d5bfd73e26d4a94 Mon Sep 17 00:00:00 2001
From: "brightwheel-application-security[bot]"
 <244806090+brightwheel-application-security[bot]@users.noreply.github.com>
Date: Wed, 28 Jan 2026 20:25:34 +0000
Subject: [PATCH 1/2] upgrade secrets scanning workflow

---
 .github/workflows/secrets-scan.yaml | 112 ++++++++++++++++++++++------
 1 file changed, 91 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/secrets-scan.yaml b/.github/workflows/secrets-scan.yaml
index f8c47f1..20c43f4 100644
--- a/.github/workflows/secrets-scan.yaml
+++ b/.github/workflows/secrets-scan.yaml
@@ -1,31 +1,101 @@
-# GitHub Actions workflow that calls the brightwheel appsec-tooling reusable workflow for secrets
-# scanning on protected branches.
-#
-# DEPENDENCIES:
-#
-#  * Organization-level Variable (Settings → Secrets and variables → Actions → Variables):
-#    - APPSEC_SCANNER_PULL_ROLE_ARN: AWS IAM role ARN for ECR scanner image access via OIDC
+# Secrets scanning workflow for public repositories
 
 name: Secrets Scan
 
 on:
-  # Automatic scanning on every push to PR branches
   pull_request:
-    types: [opened, synchronize, reopened, ready_for_review]
     branches:
       - master
-  # Manual trigger
-  workflow_dispatch:
-    inputs:
-      pr_number:
-        description: "PR number to scan (optional)"
-        required: false
-      ref:
-        description: "Branch/ref to scan (optional, defaults to current)"
-        required: false
+  push:
+    branches:
+      - master
 
 jobs:
   scan:
-    if: ${{ !github.event.pull_request.draft || github.event_name == 'workflow_dispatch' }}
-    uses: brightwheel/appsec-tooling/.github/workflows/reusable-secrets-scan.yaml@main
-    secrets: inherit
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Determine commit range
+        id: range
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            BASE_SHA="${{ github.event.pull_request.base.sha }}"
+            HEAD_SHA="${{ github.event.pull_request.head.sha }}"
+            echo "log_opts=--no-merges --first-parent ${BASE_SHA}^..${HEAD_SHA}" >> $GITHUB_OUTPUT
+          elif [ "${{ github.event_name }}" = "push" ]; then
+            BEFORE_SHA="${{ github.event.before }}"
+            AFTER_SHA="${{ github.event.after }}"
+
+            # check for first commit or single commit
+            if [ "$BEFORE_SHA" = "0000000000000000000000000000000000000000" ] || [ "$BEFORE_SHA" = "$AFTER_SHA" ]; then
+              echo "log_opts=-1" >> $GITHUB_OUTPUT
+            else
+              echo "log_opts=--no-merges --first-parent ${BEFORE_SHA}^..${AFTER_SHA}" >> $GITHUB_OUTPUT
+            fi
+          fi
+
+      - name: Download gitleaks
+        run: |
+          GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
+          curl -fsSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | tar xzf - gitleaks
+          chmod +x gitleaks
+
+      - name: Run scan
+        id: scan
+        continue-on-error: true
+        run: |
+          ./gitleaks detect \
+            --source="." \
+            --redact \
+            --report-format=json \
+            --report-path=results.json \
+            --log-opts='${{ steps.range.outputs.log_opts }}' \
+            --verbose
+
+      - name: Display findings
+        if: always() && hashFiles('results.json') != ''
+        run: |
+          if [ -f results.json ]; then
+            echo "## Scan Results"
+            echo ""
+
+            # count findings
+            FINDING_COUNT=$(jq 'length' results.json)
+
+            if [ "$FINDING_COUNT" -eq 0 ]; then
+              echo "✅ No secrets detected"
+            else
+              echo "⚠️  Found $FINDING_COUNT secret(s)"
+              echo ""
+              echo "| File | Line | Secret Type |"
+              echo "|------|------|-------------|"
+
+              jq -r '.[] | "| \(.File) | \(.StartLine) | \(.RuleID) |"' results.json
+
+              echo ""
+              echo "Remove these secrets from the code to proceed."
+            fi
+          fi
+
+      - name: Comment on PR if secrets found
+        if: failure() && github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+              body: '⚠️ **Secrets detected** - This PR cannot be merged until secrets are removed from the code.'
+            });
+
+      - name: Fail if secrets detected
+        if: steps.scan.outcome != 'success'
+        run: exit 1

From fb6069533976a54e30f7c9a846c9d63be2bf8a7d Mon Sep 17 00:00:00 2001
From: "brightwheel-application-security[bot]"
 <244806090+brightwheel-application-security[bot]@users.noreply.github.com>
Date: Wed, 28 Jan 2026 20:25:34 +0000
Subject: [PATCH 2/2] upgrade gitleaks configuration