Skip to content
Daily Secrets Detection

Daily Secrets Detection #123

Sign in to view logs

Daily Secrets Detection

Daily Secrets Detection #123

Workflow file for this run

.github/workflows/secrets-scan-daily.yml at c6ae8cd
name: Daily Secrets Detection
on:
schedule:
# Run daily at 9:00 AM UTC
- cron: '0 9 * * *'
workflow_dispatch: # Allow manual triggering
permissions: read-all
jobs:
daily-secrets-scan:
name: Daily Secrets Scan
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
env:
CHAINLOOP_WORKFLOW_NAME: "daily-secrets-detection"
CHAINLOOP_PROJECT_NAME: "chainloop"
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Install Chainloop
run: |
curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s
- name: Initialize Attestation
run: |
chainloop attestation init --workflow ${CHAINLOOP_WORKFLOW_NAME} --project ${CHAINLOOP_PROJECT_NAME}
- name: Install Gitleaks
run: |
wget -q https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz
mkdir -p /tmp/gitleaks-install
tar -xzf gitleaks_8.30.0_linux_x64.tar.gz -C /tmp/gitleaks-install
sudo install /tmp/gitleaks-install/gitleaks /usr/local/bin/
rm -rf /tmp/gitleaks-install gitleaks_8.30.0_linux_x64.tar.gz
gitleaks version
- name: Run Gitleaks Scan
run: |
gitleaks dir . \
--report-format json \
--report-path gitleaks-report.json \
--config .github/workflows/utils/.gitleaks.toml \
|| true
- name: Add Gitleaks Report to Attestation
run: |
chainloop attestation add \
--name gitleaks-scan \
--value gitleaks-report.json \
--kind GITLEAKS_JSON
- name: Finish and Push Attestation
if: ${{ success() }}
run: |
chainloop attestation push
- name: Mark attestation as failed
if: ${{ failure() }}
run: |
chainloop attestation reset
- name: Mark attestation as cancelled
if: ${{ cancelled() }}
run: |
chainloop attestation reset --trigger cancellation