[CI] issue: 4705805 Add secret scan step #1145
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
Adds secret scanning as a new CI pipeline step that runs by default on all pull requests.
Key Changes:
- Introduced new
secret-scanDocker container (harbor.mellanox.com/toolbox/secret_scan:0.0.23) - Added Secret Scan step in
matrix_job.yamlthat executes/opt/nvidia/secret_scan.pyto scan workspace files - Created
do_secretscanparameter inproj_jjb.yaml(enabled by default) to control execution - Secret scan generates
secret_scan.htmlreport that gets archived as a build artifact - Uses existing
mellanox_github_credentialsfor authentication - Follows the same pattern as the existing Copyrights check step
Minor improvements:
- Cleaned up trailing whitespace in several lines
Confidence Score: 5/5
- This PR is safe to merge with minimal risk - it adds a non-blocking security scan step using standard CI patterns
- The implementation follows existing patterns (similar to Copyrights step), uses proper credential management, is enabled by default but can be disabled via parameter, and only adds scanning without modifying core functionality
- No files require special attention
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| .ci/matrix_job.yaml | 5/5 | Added secret-scan container and Secret Scan step with proper credentials. Includes minor whitespace cleanup. |
| .ci/proj_jjb.yaml | 5/5 | Added do_secretscan parameter (default true) to enable/disable secret scanning. Minor whitespace fix. |
Sequence Diagram
sequenceDiagram
participant PR as Pull Request
participant Jenkins as Jenkins Pipeline
participant JJB as Job Config
participant Matrix as Matrix Job
participant Harbor as Harbor Registry
participant Scanner as Secret Scanner
participant Workspace as Source Files
PR->>Jenkins: Trigger CI Build
Jenkins->>JJB: Load job parameters
JJB->>Jenkins: Enable secret scan (default: true)
Jenkins->>Matrix: Execute pipeline steps
Matrix->>Harbor: Pull secret_scan:0.0.23 image
Harbor->>Scanner: Container ready
Matrix->>Scanner: Mount workspace with auth
Scanner->>Workspace: Scan for secrets
Workspace->>Scanner: Return file contents
Scanner->>Scanner: Analyze and generate report
Scanner->>Jenkins: Save secret_scan.html
Jenkins->>PR: Report results
2 files reviewed, no comments
Author
NirWolfer
suggested changes
Nov 6, 2025
ntsemah
force-pushed
the
HPCINFRA-2780
branch
from
648b0ed to
f1867eb
Compare
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
Integrated Nvidia's secret scanning tool into the CI pipeline and migrated infrastructure to new Docker registry.
- Added new "Secret Scan" step using
nbu-harbor.gtm.nvidia.com/toolbox/secret_scan:0.0.23container - Configured secret scanning to run by default with
do_secretscan: trueparameter - Updated all Docker registry URLs from
harbor.mellanox.comtonbu-harbor.gtm.nvidia.com - Secret scan step runs early in pipeline (after copyrights check) with GitHub token authentication
- Generates HTML report as artifact for review
Confidence Score: 5/5
- This PR is safe to merge with minimal risk
- The changes are purely CI/infrastructure configuration updates with no impact on application code. The secret scanning addition improves security posture, and the registry migration follows standard infrastructure updates. All changes follow existing patterns in the codebase (similar to the copyrights check step).
- No files require special attention
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| .ci/matrix_job.yaml | 5/5 | Added secret scanning step and migrated all Docker registry URLs from harbor.mellanox.com to nbu-harbor.gtm.nvidia.com |
| .ci/proj_jjb.yaml | 5/5 | Added do_secretscan boolean parameter with default true to enable secret scanning in CI pipeline |
Sequence Diagram
sequenceDiagram
participant GH as GitHub PR
participant CI as CI Pipeline
participant Container as Secret Scan Container
participant Registry as nbu-harbor.gtm.nvidia.com
participant Workspace as Workspace
GH->>CI: Trigger CI Pipeline
CI->>CI: Check do_secretscan parameter
alt do_secretscan == true
CI->>Registry: Pull secret_scan:0.0.23 image
Registry-->>CI: Return container image
CI->>Container: Start secret scan container
CI->>Container: Pass GITHUB_TOKEN credential
Container->>Workspace: Scan files in $WORKSPACE
Container->>Container: Run /opt/nvidia/secret_scan.py
Container->>Workspace: Generate secret_scan.html report
Container-->>CI: Exit with status code
CI->>CI: Archive *.html artifacts
end
CI->>GH: Report pipeline status
2 files reviewed, no comments
Author
Contributor
|
bot:retest |
5 similar comments
Contributor
|
bot:retest |
Author
|
bot:retest |
Author
|
bot:retest |
Author
|
bot:retest |
Author
|
bot:retest |
ntsemah
force-pushed
the
HPCINFRA-2780
branch
from
f1867eb to
2585928
Compare
Greptile Summary
Confidence Score: 5/5
Sequence DiagramsequenceDiagram
participant CI as "CI Pipeline"
participant Container as "secret-scan Container"
participant Script as "/opt/nvidia/secret_scan.py"
participant Workspace as "Repository Code"
CI->>CI: "Check do_secretscan parameter"
CI->>Container: "Launch toolbox/secret_scan:0.0.27"
Container->>Script: "Execute with GITHUB_TOKEN"
Script->>Workspace: "Scan $WORKSPACE for secrets"
Script->>Script: "Generate secret_scan.html report"
Script->>CI: "Return scan results"
CI->>CI: "Archive *.html artifacts"
|
ntsemah
force-pushed
the
HPCINFRA-2780
branch
from
2585928 to
9b298db
Compare
Author
|
bot:retest |
Author
Make Secrets Scanner run as a step in CI Signed-off-by: Noam Tsemah <[email protected]>
ntsemah
force-pushed
the
HPCINFRA-2780
branch
from
9b298db to
ad97ef9
Compare
There was a problem hiding this comment.
2 files reviewed, no comments
Edit Code Review Agent Settings | Greptile
React with 👍 or 👎 to share your feedback on this new summary format
NirWolfer
approved these changes
Nov 17, 2025
Author
|
bot:retest |
dpressle
approved these changes
Nov 17, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
What
Make Secrets Scanner run as a step in CI
Why ?
HPCINFRA-2780
How ?
It is optional but for complex PRs please provide information about the design,
architecture, approach, etc.
Change type
What kind of change does this PR introduce?
Check list