Improved Secret & Vulnerability Scanning Using AI

[andypols]

GitProxy currently has built-in support for gitleaks, but configuring and maintaining it can be cumbersome. The default git-proxy configuration allows certain issues — such as credentials embedded in database URLs — to slip through undetected.

We’ve implemented an alternative scanning approach that uses GPT-5 Codex (you can define the model in the config) to detect security problems more reliably.

Our implementation extracts and reports:

• Vulnerability type
• File path
• Line numbers and a relevant code snippet
• Explanation of why this is a security issue
• Suggested fix

This has been effective in catching issues and informing the user what is wrong and how to resolve it.

I can open a PR to share this implementation if there’s interest from the community.

[kriswest]

That does sound interesting. I imagine it (and gitleaks #1248) both need to be optional plugins, so if you raise a PR i'd go straight to a plugin in https://github.com/finos/git-proxy/tree/main/plugins (despite the fact plugin loading may change - I missed some discussion of that at the last meeting I think)

[andypols]

I've actually implemented it as a configurable action (disabled by default) - exactly the same as the current gitleaks implementation.

Our thoughts are it's so cool that why wouldn't everyone want it! 😆

The nice feature of the current setup is that it reports findings directly in the push output, so users get immediate feedback. We also updated the approval page to highlight any detected issues. It doesn’t fail the push with an error, but it clearly highlights the findings so the approver knows which issues have been detected — our security team loves it as a better version of gitleaks.

Hopefully, we can achieve something similar with plugins. I’ll take a look at where things stand there and what’s involved.