-
Notifications
You must be signed in to change notification settings - Fork 99
96 lines (86 loc) · 3.39 KB
/
Copy pathsecret-scan.yml
File metadata and controls
96 lines (86 loc) · 3.39 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# Scans for committed secrets with gitleaks: new commits on pull_request/push, full
# history on the weekly schedule. Uploads SARIF to the Security tab. Uses the
# MIT-licensed gitleaks binary, not the licensed action.
name: Secret Scan
on:
pull_request:
branches: [main]
push:
branches: [main]
schedule:
- cron: '17 9 * * 1'
workflow_dispatch:
permissions:
contents: read
concurrency:
group: secret-scan-${{ github.ref }}
cancel-in-progress: true
jobs:
gitleaks:
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
contents: read
security-events: write
env:
GITLEAKS_VERSION: "8.30.1"
# SHA-256 of gitleaks_<version>_linux_x64.tar.gz — update together with the version.
GITLEAKS_SHA256: "551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb"
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
fetch-depth: 0
- name: Install gitleaks
run: |
tarball="gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
curl -sSfL -O "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/${tarball}"
echo "${GITLEAKS_SHA256} ${tarball}" | sha256sum -c -
tar -xzf "${tarball}"
sudo mv gitleaks /usr/local/bin/
gitleaks --version
- name: Run gitleaks
id: gitleaks
env:
# Provided by GitHub for the triggering event; empty otherwise. Passed via env
# (not inline ${{ }}) so they cannot be interpolated into the shell.
PR_BASE: ${{ github.event.pull_request.base.sha }}
PR_HEAD: ${{ github.event.pull_request.head.sha }}
PUSH_BEFORE: ${{ github.event.before }}
PUSH_AFTER: ${{ github.sha }}
run: |
NULL_SHA="0000000000000000000000000000000000000000"
LOG_OPTS=""
if [ -n "$PR_BASE" ]; then
# pull_request: scan only the commits this PR adds
LOG_OPTS="--log-opts=${PR_BASE}..${PR_HEAD}"
elif [ -n "$PUSH_BEFORE" ] && [ "$PUSH_BEFORE" != "$NULL_SHA" ]; then
# push: scan only the newly pushed commits
LOG_OPTS="--log-opts=${PUSH_BEFORE}..${PUSH_AFTER}"
fi
# schedule / workflow_dispatch / branch-creating push: LOG_OPTS empty -> full history
set +e
gitleaks git --redact $LOG_OPTS --report-path=gitleaks-report.sarif --report-format=sarif .
echo "exit_code=$?" >> "$GITHUB_OUTPUT"
set -e
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
if: always()
with:
name: gitleaks.sarif
path: gitleaks-report.sarif
if-no-files-found: warn
- uses: github/codeql-action/upload-sarif@5e7a52feb2a3dfb87f88be2af33b9e2275f48de6 # v4.32.2
if: always() && hashFiles('gitleaks-report.sarif') != ''
continue-on-error: true
with:
sarif_file: gitleaks-report.sarif
- name: Fail on findings or scan error
if: steps.gitleaks.outputs.exit_code != '0'
env:
EXIT_CODE: ${{ steps.gitleaks.outputs.exit_code }}
run: |
if [ "$EXIT_CODE" = "1" ]; then
echo "::error::gitleaks found secrets — see the SARIF artifact / Security tab"
else
echo "::error::gitleaks failed to run (exit $EXIT_CODE)"
fi
exit 1