A researcher discovered that GitHub Actions' use of abbreviated 7-character commit hashes in workflow configs could be exploited to cause global DoS by generating intentional commit hash collisions, which would cause tarball downloads to fail with 404 errors for anyone referencing the ambiguous shorthash. The vulnerability was fixed by updating the config wizard to generate full 40-character commit hashes instead.
Betterleaks is a new open-source secrets scanner by Gitleaks' original author that improves detection accuracy using BPE token efficiency (98.6% vs 70.4% entropy recall), CEL-based validation rules, and parallelized scanning. It's designed as a drop-in Gitleaks replacement with support for AI agents and planned features including LLM-assisted classification, auto-revocation, and multi-source scanning.