From 817817840a6edf30e589d16f53028a40048b9461 Mon Sep 17 00:00:00 2001
From: Val Redchenko <lazyval@gmail.com>
Date: Thu, 28 May 2026 11:34:53 +0100
Subject: [PATCH] security: upload gitleaks SARIF to code scanning

The gitleaks CLI job already writes a SARIF report but only attaches
it as a workflow artifact, so findings never reach the Security ->
Code scanning tab and there is no way to triage them alongside other
SAST results.

Add an upload step using github/codeql-action/upload-sarif so reports
land in code scanning, and grant the workflow security-events: write
so the upload is permitted. The artifact upload is kept for download
and inspection.
---
 .github/workflows/leaked-secrets-scan.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/leaked-secrets-scan.yml b/.github/workflows/leaked-secrets-scan.yml
index 493da8b..748d76f 100644
--- a/.github/workflows/leaked-secrets-scan.yml
+++ b/.github/workflows/leaked-secrets-scan.yml
@@ -9,6 +9,10 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   gitleaks-cli:
     name: gitleaks (CLI)
@@ -27,6 +31,12 @@ jobs:
           gitleaks version
       - name: Run gitleaks
         run: gitleaks detect --source . --redact -c .gitleaks.toml -v --report-format sarif --report-path gitleaks-report.sarif
+      - name: Upload SARIF to code scanning
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: gitleaks-report.sarif
+          category: gitleaks
       - name: Upload report
         uses: actions/upload-artifact@v7
         if: always()