security: add gitleaks scanning + 2026-04-18 security delta review

Delta review between PR #377 (2026-03-17) and 7b42e36 found no new
critical/high issues. Three cybersecurity-skills toolkits ran:
gitleaks secret scanning, GitHub Actions workflow hardening, and
cryptographic audit of the delta.

Historic leak surfaced: 4 real test-instance tokens (zwqg, plasma,
zulu, badger) sat in public git history from late-2025 / early-2026.
All four are now dead ('Invalid token' response), so the exposure is
stale — but worth documenting and preventing recurrence.

Adds:
- .gitleaks.toml: custom rules for NetBox v1 (40-hex) and v2 (nbt_*)
  token formats plus a project-wide allowlist (docker-compose
  bootstrap token, Slack webhook placeholders, generic 'your-key'
  patterns)
- .gitleaks-baseline.json: snapshot of 8 historic (dead-token)
  findings so CI only flags new secrets
- .github/workflows/secret-scan.yml: gitleaks CI on every push/PR
  to dev/main via gitleaks-action@v2
- .pre-commit-config.yaml: opt-in local gitleaks pre-commit hook
- docs/superpowers/reviews/2026-04-18-security-delta-review.md:
  full findings report with severity tags and follow-up PR list

Medium findings documented for follow-up (not fixed here):
- pre-release-validation.yml: 5 \${{ inputs.* }} interpolations
  into pwsh run-blocks (script injection vector via workflow_dispatch)
- actions/* SHA pinning: 25+ unpinned references to GitHub-owned
  actions (supply-chain hardening)

Positive findings worth preserving:
- PR #377 HTTP-plaintext warning, SkipCertificateCheck opt-in,
  AllowInsecureRedirect warning are all intact
- zwqg token was protected by NetBox per-token IP allowlist during
  its live window — a defense-in-depth layer that should be
  enabled on all prod-hosted tokens
- Central auth + TLS code in InvokeNetboxRequest, Connect-NBAPI,
  Set-NBCipherSSL is unchanged since PR #377 (no regressions)

Author: ctrl-alt-automate

.github/workflows/secret-scan.yml

@@ -0,0 +1,29 @@
+name: Secret Scan
+
+on:
+  push:
+    branches: [dev, main, master]
+  pull_request:
+    branches: [dev, main, master]
+
+permissions:
+  contents: read
+
+jobs:
+  gitleaks:
+    name: Gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Full history — gitleaks needs commits to scan
+
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # Gitleaks picks up .gitleaks.toml and .gitleaks-baseline.json
+          # from the repo root automatically.
+          GITLEAKS_ENABLE_SUMMARY: "true"
+          GITLEAKS_ENABLE_COMMENTS: "true"

.gitleaks-baseline.json

@@ -0,0 +1,182 @@
+[
+ {
+  "RuleID": "netbox-v2-token",
+  "Description": "NetBox v2 Bearer token (nbt_\u003ckey\u003e.\u003csecret\u003e)",
+  "StartLine": 272,
+  "EndLine": 272,
+  "StartColumn": 23,
+  "EndColumn": 79,
+  "Match": "nbt_kVJSfSxl3xvO.b4KIab8fc0sKntsws0KK7j6VwWNYnztZ9BOC7NAq",
+  "Secret": "nbt_kVJSfSxl3xvO.b4KIab8fc0sKntsws0KK7j6VwWNYnztZ9BOC7NAq",
+  "File": ".github/workflows/integration.yml",
+  "SymlinkFile": "",
+  "Commit": "8044791c23a49df78e385aca6ffc74b0023f8ab1",
+  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/8044791c23a49df78e385aca6ffc74b0023f8ab1/.github/workflows/integration.yml#L272",
+  "Entropy": 5.043073,
+  "Author": "ctrl-alt-automate",
+  "Email": "elvis@deployment-team.nl",
+  "Date": "2026-01-06T12:54:06Z",
+  "Message": "security: Remove hardcoded tokens from ScenarioTestHelper\n\nBREAKING CHANGE: Test credentials now loaded from environment variables\n\nRequired environment variables:\n- NETBOX_449_HOST / NETBOX_449_TOKEN (plasma-paint)\n- NETBOX_449_ZWQG_HOST / NETBOX_449_ZWQG_TOKEN (cloud.netboxapp.com)\n- NETBOX_437_HOST / NETBOX_437_TOKEN (badger-victor)\n- NETBOX_450_HOST / NETBOX_450_TOKEN (zulu-how)\n\nAdded validation with clear error messages when env vars are missing.\n\nIMPORTANT: Revoke and regenerate all exposed tokens immediately!\n\n🤖 Generated with [Claude Code](https://claude.com/claude-code)\n\nCo-Authored-By: Claude Opus 4.5 \u003cnoreply@anthropic.com\u003e",
+  "Tags": [
+   "netbox",
+   "token",
+   "v2"
+  ],
+  "Fingerprint": "8044791c23a49df78e385aca6ffc74b0023f8ab1:.github/workflows/integration.yml:netbox-v2-token:272"
+ },
+ {
+  "RuleID": "generic-api-key",
+  "Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
+  "StartLine": 13,
+  "EndLine": 13,
+  "StartColumn": 10,
+  "EndColumn": 62,
+  "Match": "Token    = '4188039a3a05ebb58e4969873bace61c77222eb7'",
+  "Secret": "4188039a3a05ebb58e4969873bace61c77222eb7",
+  "File": "Tests/Scenario/ScenarioTestHelper.psm1",
+  "SymlinkFile": "",
+  "Commit": "02c3b9594f380b310bc07ea43487019d3d960e49",
+  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/02c3b9594f380b310bc07ea43487019d3d960e49/Tests/Scenario/ScenarioTestHelper.psm1#L13",
+  "Entropy": 3.7464395,
+  "Author": "ctrl-alt-automate",
+  "Email": "elvis@deployment-team.nl",
+  "Date": "2026-01-03T15:16:15Z",
+  "Message": "feat: Add 500 error fallback for bulk operations\n\nWhen bulk API requests fail with 500 Internal Server Error (which can\noccur due to Redis cache inconsistency on cloud-hosted Netbox instances),\nthe module now automatically falls back to sequential single-item requests.\n\nChanges:\n- Send-NBBulkRequest: Add 500 error detection and sequential fallback\n  with exponential backoff retry (3 attempts, 500ms/1s/2s delays)\n- Connect-NBAPI: Add AllowInsecureRedirect for PS 7.4+ compatibility\n- Set-NBIPAMAddress: Add ValueFromPipelineByPropertyName to Status/Description\n- Get-NBTenant: Rename GroupID to Group_Id with backwards-compatible alias\n- Add Scenario test suite for bulk operations, workflows, filters\n\nFixes: Test file bug where $($i++) in string interpolation doesn't work\nin PowerShell - increment must be on separate line before use.\n\n🤖 Generated with [Claude Code](https://claude.com/claude-code)\n\nCo-Authored-By: Claude Opus 4.5 \u003cnoreply@anthropic.com\u003e",
+  "Tags": [],
+  "Fingerprint": "02c3b9594f380b310bc07ea43487019d3d960e49:Tests/Scenario/ScenarioTestHelper.psm1:generic-api-key:13"
+ },
+ {
+  "RuleID": "generic-api-key",
+  "Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
+  "StartLine": 18,
+  "EndLine": 18,
+  "StartColumn": 10,
+  "EndColumn": 62,
+  "Match": "Token    = 'a9717b9520d54d19383649066ef3b25e313bf219'",
+  "Secret": "a9717b9520d54d19383649066ef3b25e313bf219",
+  "File": "Tests/Scenario/ScenarioTestHelper.psm1",
+  "SymlinkFile": "",
+  "Commit": "02c3b9594f380b310bc07ea43487019d3d960e49",
+  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/02c3b9594f380b310bc07ea43487019d3d960e49/Tests/Scenario/ScenarioTestHelper.psm1#L18",
+  "Entropy": 3.7659574,
+  "Author": "ctrl-alt-automate",
+  "Email": "elvis@deployment-team.nl",
+  "Date": "2026-01-03T15:16:15Z",
+  "Message": "feat: Add 500 error fallback for bulk operations\n\nWhen bulk API requests fail with 500 Internal Server Error (which can\noccur due to Redis cache inconsistency on cloud-hosted Netbox instances),\nthe module now automatically falls back to sequential single-item requests.\n\nChanges:\n- Send-NBBulkRequest: Add 500 error detection and sequential fallback\n  with exponential backoff retry (3 attempts, 500ms/1s/2s delays)\n- Connect-NBAPI: Add AllowInsecureRedirect for PS 7.4+ compatibility\n- Set-NBIPAMAddress: Add ValueFromPipelineByPropertyName to Status/Description\n- Get-NBTenant: Rename GroupID to Group_Id with backwards-compatible alias\n- Add Scenario test suite for bulk operations, workflows, filters\n\nFixes: Test file bug where $($i++) in string interpolation doesn't work\nin PowerShell - increment must be on separate line before use.\n\n🤖 Generated with [Claude Code](https://claude.com/claude-code)\n\nCo-Authored-By: Claude Opus 4.5 \u003cnoreply@anthropic.com\u003e",
+  "Tags": [],
+  "Fingerprint": "02c3b9594f380b310bc07ea43487019d3d960e49:Tests/Scenario/ScenarioTestHelper.psm1:generic-api-key:18"
+ },
+ {
+  "RuleID": "netbox-v2-token",
+  "Description": "NetBox v2 Bearer token (nbt_\u003ckey\u003e.\u003csecret\u003e)",
+  "StartLine": 28,
+  "EndLine": 28,
+  "StartColumn": 22,
+  "EndColumn": 78,
+  "Match": "nbt_kVJSfSxl3xvO.b4KIab8fc0sKntsws0KK7j6VwWNYnztZ9BOC7NAq",
+  "Secret": "nbt_kVJSfSxl3xvO.b4KIab8fc0sKntsws0KK7j6VwWNYnztZ9BOC7NAq",
+  "File": "Tests/Scenario/ScenarioTestHelper.psm1",
+  "SymlinkFile": "",
+  "Commit": "02c3b9594f380b310bc07ea43487019d3d960e49",
+  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/02c3b9594f380b310bc07ea43487019d3d960e49/Tests/Scenario/ScenarioTestHelper.psm1#L28",
+  "Entropy": 5.043073,
+  "Author": "ctrl-alt-automate",
+  "Email": "elvis@deployment-team.nl",
+  "Date": "2026-01-03T15:16:15Z",
+  "Message": "feat: Add 500 error fallback for bulk operations\n\nWhen bulk API requests fail with 500 Internal Server Error (which can\noccur due to Redis cache inconsistency on cloud-hosted Netbox instances),\nthe module now automatically falls back to sequential single-item requests.\n\nChanges:\n- Send-NBBulkRequest: Add 500 error detection and sequential fallback\n  with exponential backoff retry (3 attempts, 500ms/1s/2s delays)\n- Connect-NBAPI: Add AllowInsecureRedirect for PS 7.4+ compatibility\n- Set-NBIPAMAddress: Add ValueFromPipelineByPropertyName to Status/Description\n- Get-NBTenant: Rename GroupID to Group_Id with backwards-compatible alias\n- Add Scenario test suite for bulk operations, workflows, filters\n\nFixes: Test file bug where $($i++) in string interpolation doesn't work\nin PowerShell - increment must be on separate line before use.\n\n🤖 Generated with [Claude Code](https://claude.com/claude-code)\n\nCo-Authored-By: Claude Opus 4.5 \u003cnoreply@anthropic.com\u003e",
+  "Tags": [
+   "netbox",
+   "token",
+   "v2"
+  ],
+  "Fingerprint": "02c3b9594f380b310bc07ea43487019d3d960e49:Tests/Scenario/ScenarioTestHelper.psm1:netbox-v2-token:28"
+ },
+ {
+  "RuleID": "netbox-v2-token",
+  "Description": "NetBox v2 Bearer token (nbt_\u003ckey\u003e.\u003csecret\u003e)",
+  "StartLine": 242,
+  "EndLine": 242,
+  "StartColumn": 24,
+  "EndColumn": 80,
+  "Match": "nbt_kVJSfSxl3xvO.b4KIab8fc0sKntsws0KK7j6VwWNYnztZ9BOC7NAq",
+  "Secret": "nbt_kVJSfSxl3xvO.b4KIab8fc0sKntsws0KK7j6VwWNYnztZ9BOC7NAq",
+  "File": ".github/workflows/integration.yml",
+  "SymlinkFile": "",
+  "Commit": "a449cfaa9c6c7618986285ab852df27a9e863c0b",
+  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/a449cfaa9c6c7618986285ab852df27a9e863c0b/.github/workflows/integration.yml#L242",
+  "Entropy": 5.043073,
+  "Author": "ctrl-alt-automate",
+  "Email": "elvis@deployment-team.nl",
+  "Date": "2025-12-30T09:13:28Z",
+  "Message": "ci: Add exe.dev live testing workflow and v2 token support\n\n- Update version matrix: 4.3.7, 4.4.9, 4.5.0-beta1\n- Add v2 token tests for Netbox 4.5+ in integration.yml\n- Add 4.5.0-beta1 to compatibility.yml\n- Create exe-dev-tests.yml for testing against live exe.dev VMs\n  - Manual trigger with VM selection (all/stable/minimum/beta)\n  - Quick and full test scopes\n  - Requires EXEDEV_TOKEN_* secrets\n\n🤖 Generated with [Claude Code](https://claude.com/claude-code)\n\nCo-Authored-By: Claude Opus 4.5 \u003cnoreply@anthropic.com\u003e",
+  "Tags": [
+   "netbox",
+   "token",
+   "v2"
+  ],
+  "Fingerprint": "a449cfaa9c6c7618986285ab852df27a9e863c0b:.github/workflows/integration.yml:netbox-v2-token:242"
+ },
+ {
+  "RuleID": "generic-api-key",
+  "Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
+  "StartLine": 12,
+  "EndLine": 12,
+  "StartColumn": 2,
+  "EndColumn": 49,
+  "Match": "TOKEN=\"a9717b9520d54d19383649066ef3b25e313bf219\"",
+  "Secret": "a9717b9520d54d19383649066ef3b25e313bf219",
+  "File": ".claude/commands/implement.md",
+  "SymlinkFile": "",
+  "Commit": "ef1726d42f622dedf4579016dd6a4fa13df26f17",
+  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/ef1726d42f622dedf4579016dd6a4fa13df26f17/.claude/commands/implement.md?plain=1#L12",
+  "Entropy": 3.7659574,
+  "Author": "ctrl-alt-automate",
+  "Email": "elvis@deployment-team.nl",
+  "Date": "2025-12-10T22:15:53Z",
+  "Message": "Add development tooling and Claude Code integration\n\n- Add CLAUDE.md with project overview and development guide\n- Add Connect-DevNetbox.ps1 helper script for quick API connection\n- Add .netboxps.config.example.ps1 template for local credentials\n- Add specialized slash commands for AI-assisted development:\n  - /netbox-api: Netbox API expert for endpoint documentation\n  - /powershell-expert: PowerShell best practices guidance\n  - /implement: Combined workflow for new endpoint implementation\n  - /test-endpoint: Compatibility testing against Netbox 4.4.7\n- Update .gitignore to exclude local config files\n\n🤖 Generated with [Claude Code](https://claude.com/claude-code)\n\nCo-Authored-By: Claude Opus 4.5 \u003cnoreply@anthropic.com\u003e",
+  "Tags": [],
+  "Fingerprint": "ef1726d42f622dedf4579016dd6a4fa13df26f17:.claude/commands/implement.md:generic-api-key:12"
+ },
+ {
+  "RuleID": "generic-api-key",
+  "Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
+  "StartLine": 8,
+  "EndLine": 8,
+  "StartColumn": 2,
+  "EndColumn": 49,
+  "Match": "TOKEN=\"a9717b9520d54d19383649066ef3b25e313bf219\"",
+  "Secret": "a9717b9520d54d19383649066ef3b25e313bf219",
+  "File": ".claude/commands/test-endpoint.md",
+  "SymlinkFile": "",
+  "Commit": "ef1726d42f622dedf4579016dd6a4fa13df26f17",
+  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/ef1726d42f622dedf4579016dd6a4fa13df26f17/.claude/commands/test-endpoint.md?plain=1#L8",
+  "Entropy": 3.7659574,
+  "Author": "ctrl-alt-automate",
+  "Email": "elvis@deployment-team.nl",
+  "Date": "2025-12-10T22:15:53Z",
+  "Message": "Add development tooling and Claude Code integration\n\n- Add CLAUDE.md with project overview and development guide\n- Add Connect-DevNetbox.ps1 helper script for quick API connection\n- Add .netboxps.config.example.ps1 template for local credentials\n- Add specialized slash commands for AI-assisted development:\n  - /netbox-api: Netbox API expert for endpoint documentation\n  - /powershell-expert: PowerShell best practices guidance\n  - /implement: Combined workflow for new endpoint implementation\n  - /test-endpoint: Compatibility testing against Netbox 4.4.7\n- Update .gitignore to exclude local config files\n\n🤖 Generated with [Claude Code](https://claude.com/claude-code)\n\nCo-Authored-By: Claude Opus 4.5 \u003cnoreply@anthropic.com\u003e",
+  "Tags": [],
+  "Fingerprint": "ef1726d42f622dedf4579016dd6a4fa13df26f17:.claude/commands/test-endpoint.md:generic-api-key:8"
+ },
+ {
+  "RuleID": "generic-api-key",
+  "Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
+  "StartLine": 21,
+  "EndLine": 21,
+  "StartColumn": 2,
+  "EndColumn": 49,
+  "Match": "TOKEN=\"a9717b9520d54d19383649066ef3b25e313bf219\"",
+  "Secret": "a9717b9520d54d19383649066ef3b25e313bf219",
+  "File": ".claude/commands/netbox-api.md",
+  "SymlinkFile": "",
+  "Commit": "ef1726d42f622dedf4579016dd6a4fa13df26f17",
+  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/ef1726d42f622dedf4579016dd6a4fa13df26f17/.claude/commands/netbox-api.md?plain=1#L21",
+  "Entropy": 3.7659574,
+  "Author": "ctrl-alt-automate",
+  "Email": "elvis@deployment-team.nl",
+  "Date": "2025-12-10T22:15:53Z",
+  "Message": "Add development tooling and Claude Code integration\n\n- Add CLAUDE.md with project overview and development guide\n- Add Connect-DevNetbox.ps1 helper script for quick API connection\n- Add .netboxps.config.example.ps1 template for local credentials\n- Add specialized slash commands for AI-assisted development:\n  - /netbox-api: Netbox API expert for endpoint documentation\n  - /powershell-expert: PowerShell best practices guidance\n  - /implement: Combined workflow for new endpoint implementation\n  - /test-endpoint: Compatibility testing against Netbox 4.4.7\n- Update .gitignore to exclude local config files\n\n🤖 Generated with [Claude Code](https://claude.com/claude-code)\n\nCo-Authored-By: Claude Opus 4.5 \u003cnoreply@anthropic.com\u003e",
+  "Tags": [],
+  "Fingerprint": "ef1726d42f622dedf4579016dd6a4fa13df26f17:.claude/commands/netbox-api.md:generic-api-key:21"
+ }
+]

.gitleaks.toml

@@ -0,0 +1,64 @@
+# PowerNetbox Gitleaks Configuration
+# Extends the default rule set with PowerNetbox-specific patterns
+# and an allowlist for known test/placeholder values.
+
+title = "PowerNetbox Gitleaks Configuration"
+
+[extend]
+useDefault = true
+
+# Custom rule: NetBox v2 Bearer token format (nbt_<key>.<secret>)
+[[rules]]
+id = "netbox-v2-token"
+description = "NetBox v2 Bearer token (nbt_<key>.<secret>)"
+regex = '''nbt_[A-Za-z0-9]{10,}\.[A-Za-z0-9]{30,}'''
+keywords = ["nbt_"]
+tags = ["netbox", "token", "v2"]
+
+[rules.allowlist]
+description = "Placeholder v2 tokens used in docs and tests"
+regexTarget = "match"
+regexes = [
+    '''nbt_abc123\.xyz789''',
+    '''nbt_ExampleKey123\.ExampleSecretValue456789''',
+    '''nbt_yourKey\.yourSecret''',
+    '''nbt_\{key\}\.\{secret\}''',
+]
+
+# Custom rule: NetBox v1 token (40-char hex)
+[[rules]]
+id = "netbox-v1-token"
+description = "NetBox v1 API token (40-char hex key)"
+regex = '''(?i)(?:netbox[_-]?token|nb[_-]?token|api[_-]?token)\s*[:=]\s*["']?([a-f0-9]{40})["']?'''
+keywords = ["token", "netbox"]
+tags = ["netbox", "token", "v1"]
+
+# Global allowlist for common PowerNetbox test/placeholder values
+[allowlist]
+description = "PowerNetbox project-wide allowlist"
+
+paths = [
+    # Tests use fake tokens throughout
+    '''(^|/)Tests/.*\.Tests\.ps1$''',
+    # Docs reference example tokens
+    '''(^|/)docs/''',
+    # This file itself
+    '''(^|/)\.gitleaks\.toml$''',
+    # Baseline captures historic findings that have been rotated
+    '''(^|/)\.gitleaks-baseline\.json$''',
+]
+
+regexes = [
+    # docker-compose.ci.yml bootstrap token (public netbox-docker default)
+    '''0123456789abcdef0123456789abcdef01234567''',
+    # Slack webhook placeholder pattern (T00000000/B00000000/XXX...)
+    '''hooks\.slack\.com/services/T0+/B0+/X+''',
+    # Common placeholder patterns
+    '''(?i)your[-_]?(api[-_]?)?(token|key|secret)''',
+    '''(?i)(example|sample|placeholder|fake|dummy|test)[-_]?(token|key|secret)''',
+    '''(?i)(<|\[|\{)[^>\]\}]*(token|key|secret|password)[^>\]\}]*(>|\]|\})''',
+    # xxxxxxxx, ****, 00000000 sequences
+    '''x{8,}''',
+    '''\*{8,}''',
+    '''0{10,}''',
+]

.pre-commit-config.yaml

@@ -0,0 +1,15 @@
+# Pre-commit hooks for PowerNetbox
+#
+# Install:  pip install pre-commit && pre-commit install
+# Run all:  pre-commit run --all-files
+#
+# Gitleaks prevents secrets from landing in commits in the first place.
+# Configuration and baseline live in .gitleaks.toml / .gitleaks-baseline.json.
+
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.30.1
+    hooks:
+      - id: gitleaks
+        name: Detect hardcoded secrets
+        description: Block commits containing hardcoded secrets (uses .gitleaks.toml)