Secret Scanning #89
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secret Scanning | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| schedule: | |
| # Run daily at 2 AM UTC | |
| - cron: '0 2 * * *' | |
| jobs: | |
| scan-secrets: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Full history for better scanning | |
| - name: Run Gitleaks | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Check for .env files | |
| run: | | |
| if git ls-files | grep -E "\.env$|\.env\."; then | |
| echo "❌ ERROR: .env files found in repository!" | |
| echo "Please remove them and use .env.example instead" | |
| exit 1 | |
| else | |
| echo "✅ No .env files found in repository" | |
| fi | |
| - name: Check for common secret patterns | |
| run: | | |
| # Check for API keys, tokens, passwords in code | |
| if git diff --cached --name-only 2>/dev/null | xargs grep -lE "(api[_-]?key|secret[_-]?key|password|token)\s*=\s*['\"][^'\"]{10,}" 2>/dev/null || true; then | |
| echo "⚠️ WARNING: Potential secrets detected in staged files" | |
| echo "Please review before committing" | |
| else | |
| echo "✅ No obvious secrets detected" | |
| fi |