chainloop/.github/workflows/secrets-scan-daily.yml at da086e1bbb2e1b1a783329566539bb6bd7c32508 · chainloop-dev/chainloop · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
name: Daily Secrets Detection

on:
  schedule:
    # Run daily at 9:00 AM UTC
    - cron: '0 9 * * *'
  workflow_dispatch: # Allow manual triggering

permissions: read-all

jobs:
  daily-secrets-scan:
    name: Daily Secrets Scan
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    env:
      CHAINLOOP_WORKFLOW_NAME: "daily-secrets-detection"
      CHAINLOOP_PROJECT_NAME: "chainloop"

    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

      - name: Install Chainloop
        run: |
          curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s

      - name: Initialize Attestation
        run: |
          chainloop attestation init --workflow ${CHAINLOOP_WORKFLOW_NAME} --project ${CHAINLOOP_PROJECT_NAME}

      - name: Install Gitleaks
        run: |
          wget -q https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz
          mkdir -p /tmp/gitleaks-install
          tar -xzf gitleaks_8.30.0_linux_x64.tar.gz -C /tmp/gitleaks-install
          sudo install /tmp/gitleaks-install/gitleaks /usr/local/bin/
          rm -rf /tmp/gitleaks-install gitleaks_8.30.0_linux_x64.tar.gz
          gitleaks version

      - name: Run Gitleaks Scan
        run: |
          gitleaks dir . \
            --report-format json \
            --report-path gitleaks-report.json \
            --config .github/workflows/utils/.gitleaks.toml \
            || true

      - name: Add Gitleaks Report to Attestation
        run: |
          chainloop attestation add \
            --name gitleaks-scan \
            --value gitleaks-report.json \
            --kind GITLEAKS_JSON

      - name: Finish and Push Attestation
        if: ${{ success() }}
        run: |
          chainloop attestation push

      - name: Mark attestation as failed
        if: ${{ failure() }}
        run: |
          chainloop attestation reset

      - name: Mark attestation as cancelled
        if: ${{ cancelled() }}
        run: |
          chainloop attestation reset --trigger cancellation