security-tools/.github/workflows/gitleaks-analysis.yml at f144b2e1dfea41c60f5dbc4af7ff596d66ee9ab3 · centreon/security-tools · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
name: gitleaks

on:
  workflow_call:

jobs:
  secret-scan:
    name: Run Gitleaks
    runs-on: ${{ ((github.repository_owner == 'centreon' || github.repository_owner == 'quanta-computing') && github.repository_visibility != 'public') && 'centreon-security' || 'ubuntu-24.04' }}

    steps:
      - name: Checkout Repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

      - name: Install Gitleaks
        run: |
          GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest \
            | grep '"tag_name"' | sed 's/.*"v\([^"]*\)".*/\1/')
          curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
            | tar -xz -C /usr/local/bin gitleaks
          echo "Gitleaks $(gitleaks version) installed"

      - name: Run secret scan
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITLEAKS_LICENSE: "Centreon"
          GITLEAKS_ENABLE_COMMENTS: false
          GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false
          GITLEAKS_ENABLE_SUMMARY: false
          HEAD: "${{ github.event.pull_request.head.sha || github.sha }}"
          BASE_SHA: "${{ github.event.pull_request.base.sha }}"
        run: |
          BASE=$(git merge-base "${BASE_SHA}" "${HEAD}")

          echo "Scanning range: ${BASE}..${HEAD}"

          gitleaks detect \
            --source . \
            --log-opts="--no-merges --first-parent ${BASE}..${HEAD}" \
            --exit-code=2 \
            --redact \
            --verbose
          EXIT_CODE=$?

          if [ $EXIT_CODE -eq 0 ]; then
            echo "No secrets found."
          elif [ $EXIT_CODE -eq 1 ]; then
            # Code 1 = invalid revision range, merge commit, etc.
            echo "::warning::Gitleaks encountered a git error (exit code: ${EXIT_CODE}). Likely an invalid revision range due to a merge commit. Scan skipped for this run."
            exit 0
          elif [ $EXIT_CODE -eq 2 ]; then
            echo "::error::Gitleaks has detected secrets in this branch!"
            exit 1
          else
            # Code 128 = missing commit in history or unmanaged case
            echo "::error::Gitleaks encountered an internal error (exit code: ${EXIT_CODE}). Contact the security team to investigate."
            exit 1
          fi