[CI] issue: HPCINFRA-2780 Add secret scan step

[ntsemah]

Description

What

Make Secrets Scanner run as a step in CI

Why ?

HPCINFRA-2780

How ?

It is optional but for complex PRs please provide information about the design,
architecture, approach, etc.

Change type

What kind of change does this PR introduce?

• Bugfix
• Feature
• Code style update
• Refactoring (no functional changes, no api changes)
• Build related changes
• CI related changes
• Documentation content changes
• Tests
• Other

Check list

• Code follows the style de facto guidelines of this project
• Comments have been inserted in hard to understand places
• Documentation has been updated (if necessary)
• Test has been added (if possible)

[greptile-apps]

Greptile Overview

Greptile Summary

Added secret scanning as a CI pipeline step to detect potential secrets in source code.

• Added secret-scan Docker container (version 0.0.23) to the runs_on_dockers configuration in .ci/matrix_job.yaml:183
• Created new "Secret Scan" pipeline step that executes the scanning tool and generates an HTML report in .ci/matrix_job.yaml:216-226
• Added do_secretscan boolean parameter (default: true) to Jenkins job configuration in .ci/opensource_jjb.yaml:121-123
• Minor whitespace cleanup on DOCA installation script lines in .ci/matrix_job.yaml:238,243

The implementation follows established patterns in the CI configuration, properly using containerSelector, agentSelector, and credentials management. The step runs early in the pipeline and archives HTML reports for review.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• Score reflects that this is a straightforward CI configuration change that adds a new security scanning tool. The implementation follows existing patterns in the codebase, uses proper credentials management, and only adds functionality without modifying existing steps. The changes are well-isolated and low-risk.
• No files require special attention

Important Files Changed

File Analysis

Filename	Score	Overview
.ci/matrix_job.yaml	5/5	Added secret-scan container and Secret Scan step with proper configuration
.ci/opensource_jjb.yaml	5/5	Added do_secretscan boolean parameter to enable/disable secret scanning

Sequence Diagram

sequenceDiagram
    participant GH as GitHub PR
    participant JJ as Jenkins Job
    participant SC as Secret Scan Container
    participant WS as Workspace
    participant AR as Artifacts

    GH->>JJ: Trigger CI with do_secretscan enabled
    JJ->>JJ: Load matrix_job.yaml config
    JJ->>SC: Pull secret-scan container image
    SC->>JJ: Container ready
    JJ->>SC: Start Secret Scan step
    SC->>WS: Scan repository files
    SC->>SC: Execute secret scanning tool
    SC->>AR: Generate HTML report
    SC->>JJ: Return scan results
    JJ->>AR: Archive HTML artifacts
    JJ->>GH: Report CI status

Loading

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[ntsemah]

link to build:
https://nbuprod.blsm.nvidia.com/swx-media-master/job/devops/job/testing_zone/job/ntsemah/job/secret-LibXLIO-opensource/1/

[ntsemah]

bot:retest

[greptile-apps]

Greptile Overview

Greptile Summary

Added secret scanning capability to the CI pipeline by integrating a new Secret Scan step. The change includes migrating all Docker registry URLs from harbor.mellanox.com to nbu-harbor.gtm.nvidia.com and introducing a new CI step that runs the secret_scan:0.0.23 container to scan the workspace for potential secrets.

Key changes:

• Added do_secretscan parameter in .ci/opensource_jjb.yaml (default: true) to control secret scanning
• Added new "Secret Scan" step in .ci/matrix_job.yaml that runs before other CI steps
• Configured the step to use mellanox_github_credentials and archive scan results as HTML
• Updated all Docker registry URLs from the legacy Mellanox domain to the new NVIDIA domain (10+ references)
• Minor whitespace cleanup in DOCA installation commands

The implementation follows existing CI patterns, using proper credential management, artifact archiving, and conditional execution via the enable: ${do_secretscan} flag.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The changes are purely CI configuration additions with no impact on production code. The secret scanning step follows established patterns in the codebase (similar to Copyrights step), uses proper credential management, and includes appropriate artifact archiving. The registry URL migration is straightforward and consistent across all references. The feature is also toggleable via the do_secretscan parameter, allowing easy rollback if issues arise.
• No files require special attention

Important Files Changed

File Analysis

Filename	Score	Overview
.ci/matrix_job.yaml	5/5	Updated registry URLs from harbor.mellanox.com to nbu-harbor.gtm.nvidia.com and added new Secret Scan step with proper credentials and artifact archiving
.ci/opensource_jjb.yaml	5/5	Added do_secretscan boolean parameter (default: true) to enable/disable secret scanning in CI pipeline

Sequence Diagram

sequenceDiagram
    participant PR as Pull Request
    participant Jenkins as Jenkins CI
    participant Matrix as Matrix Job Config
    participant Docker as Docker Registry
    participant Scanner as Secret Scanner Tool
    
    PR->>Jenkins: Trigger build
    Jenkins->>Matrix: Load configuration
    Matrix->>Docker: Pull scanner image
    Docker-->>Scanner: Provide container
    Scanner->>Scanner: Scan workspace
    Scanner->>Scanner: Generate report
    Scanner-->>Jenkins: Return scan results
    Jenkins->>Jenkins: Archive HTML report
    Jenkins->>PR: Update status

Loading

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[dpressle]

bot:retest

[ntsemah]

bot:retest

[dpressle]

lets add the parameter in the production job and run your PR with it enabled

[greptile-apps]

Greptile Summary

• Added secret scanning step to CI pipeline using secret_scan:0.0.27 Docker image with GitHub token authentication
• Migrated hardcoded harbor.mellanox.com registry URLs to use ${registry_host} variable interpolation and updated registry host to nbu-harbor.gtm.nvidia.com

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The changes are straightforward CI configuration additions. Secret scanning is properly configured with existing credentials, registry URL updates improve consistency by using variable interpolation, and the new step follows existing patterns in the CI pipeline.
• No files require special attention

Sequence Diagram

sequenceDiagram
    participant CI as "CI Pipeline"
    participant Docker as "Secret Scan Container"
    participant Script as "secret_scan.py"
    participant Workspace as "Repository Files"
    participant GitHub as "GitHub API"
    participant Artifacts as "Jenkins Artifacts"
    
    CI->>CI: "Check do_secretscan parameter"
    CI->>Docker: "Launch secret-scan:0.0.27 container"
    Docker->>Script: "Execute /opt/nvidia/secret_scan.py"
    Script->>GitHub: "Authenticate with GITHUB_TOKEN"
    GitHub-->>Script: "Authentication successful"
    Script->>Workspace: "Scan files in $WORKSPACE"
    Workspace-->>Script: "Return scan results"
    Script->>Artifacts: "Generate secret_scan.html report"
    Artifacts-->>CI: "Archive *.html artifacts"

Loading

[greptile-apps]

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile
React with 👍 or 👎 to share your feedback on this new summary format}

[ntsemah]

bot:retest