Improving security is one of our company's goals this year. With Engineering & Devops & InfoSec combined efforts we came up with a solution that combines global scanning and reporting with a way for teams to easily get early feedback and overall visibility

How it works:

• PR Guardrails: A gitleaks scanner runs as a GitHub Action on every PR - it only scans the PR diff, so it's fast and won't slow you down
• Main Branch Scans: Full scans run on merges to main and on-demand to ensure the existing codebase remains clean.
• Global Reporting: A weekly scan of all LM/CB repositories will generate a global report. You can expect to see these reports starting next week.

This has been running on my team's repos without any issues. Please ping me if you are interested in early adoption.

Next steps:

• This PR is part of roll up to active repositories.
• The Pull Requests scanner will help you identify new issues, however, this should be a very rare case
• Please plan actions on existing secrets. In some cases, the scanner will find false positives, just add them to ignore file. Claude Code prompt "Validate, fix or ignore gitleaks finds + " works like a charm.
• Please note - our goal isn't to fix everything overnight, but to stop the "leak" and make steady progress on existing debt

Full details, examples, and troubleshooting: https://loopme.atlassian.net/wiki/spaces/OPS/pages/4401332317/Secrets+scanning+in+CI+CD

For any questions / feedback, please join #tmp-scanner-rollout