rayls-explorer-frontend/.github/workflows/_security-secrets-scan.yml at main · raylsnetwork/rayls-explorer-frontend · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# =============================================================================
# Reusable Workflow: Secrets Scan (gitleaks)
# =============================================================================
# Scans new commits in a pull request for leaked secrets and credentials
# using gitleaks. Acts as the CI-layer safety net for the local pre-commit hook.
#
# Security gate: fails if any secret pattern is found in the PR commits,
# blocking the merge.
#
# Results (rule, file, line, author — values redacted) are embedded in the
# job Summary so the developer sees exactly what was detected.
#
# Usage:
#   jobs:
#     secrets-scan:
#       uses: ./.github/workflows/_security-secrets-scan.yml
#       with:
#         base_sha: ${{ github.event.pull_request.base.sha }}
#         head_sha: ${{ github.sha }}
#
# Note: The calling workflow must use actions/checkout with fetch-depth: 0
# is NOT required — this workflow handles its own checkout.
# =============================================================================

name: Secrets Scan

on:
  workflow_call:
    inputs:
      base_sha:
        description: "Base commit SHA (PR base — start of the scan range)"
        required: true
        type: string
      head_sha:
        description: "Head commit SHA (PR head — end of the scan range)"
        required: true
        type: string

jobs:
  gitleaks:
    name: 🔑 Secrets Scan (gitleaks)
    runs-on: ubuntu-latest
    permissions:
      contents: read

    steps:
      - name: Checkout (full history for commit-range scan)
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install gitleaks
        run: |
          GITLEAKS_VERSION="8.21.2"
          wget -qO gitleaks.tar.gz \
            "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
          tar -xf gitleaks.tar.gz gitleaks
          sudo mv gitleaks /usr/local/bin/gitleaks

      - name: Gitleaks — scan PR commits
        id: scan
        run: |
          gitleaks detect \
            --source . \
            --log-opts "${{ inputs.base_sha }}..${{ inputs.head_sha }}" \
            --redact \
            --exit-code 1 \
            --report-format json \
            --report-path gitleaks-report.json \
          || echo "LEAKS_FOUND=true" >> $GITHUB_ENV

      - name: Summary
        if: always()
        run: |
          {
            if [[ "${LEAKS_FOUND}" == "true" ]]; then
              echo "## ❌ Secrets Scan FAILED"
              echo ""
              echo "> **PR is blocked.** Secrets or credentials were detected in the commits."
              echo "> Remove the secret, rotate it immediately, and rewrite the commit with \`git rebase -i\`."
              echo ""
              echo "### Findings"
              echo ""
              if [[ -s gitleaks-report.json ]]; then
                echo "| Rule | File | Line | Author |"
                echo "|------|------|------|--------|"
                jq -r '.[] | "| `\(.RuleID)` | `\(.File)` | \(.StartLine) | \(.Author) |"' \
                  gitleaks-report.json 2>/dev/null || echo "_Could not parse report._"
              fi
              echo ""
              echo "> ⚠️ Secret values are **redacted** in this output."
              echo "> Run \`gitleaks detect --source . --log-opts HEAD~1..HEAD\` locally for details."
            else
              echo "## ✅ Secrets Scan Passed"
              echo ""
              echo "_No secrets or credentials detected in the PR commits._"
            fi
          } >> $GITHUB_STEP_SUMMARY