Secret Scanning #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (c) Microsoft Corporation. | |
| # Licensed under the MIT License. | |
| name: Secret Scanning | |
| on: | |
| pull_request: | |
| branches: [main] | |
| push: | |
| branches: [main] | |
| schedule: | |
| - cron: "0 6 * * 1" # Weekly Monday 6am UTC | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| gitleaks: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run Gitleaks | |
| continue-on-error: true | |
| uses: gitleaks/gitleaks-action@cb7149a9b57195b609c63e8518d2c6056677d2d0 # v2.3.8 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} | |
| - name: Scan for high-entropy strings | |
| run: | | |
| echo "=== Scanning for potential secrets ===" | |
| FOUND=0 | |
| # Check for hardcoded API keys/tokens (common patterns) | |
| PATTERNS=( | |
| '[A-Za-z0-9_-]{32,}==$' | |
| 'sk-[A-Za-z0-9]{48}' | |
| 'ghp_[A-Za-z0-9]{36}' | |
| 'gho_[A-Za-z0-9]{36}' | |
| 'AKIA[0-9A-Z]{16}' | |
| 'xox[bsrp]-[A-Za-z0-9-]{10,}' | |
| ) | |
| for pattern in "${PATTERNS[@]}"; do | |
| MATCHES=$(grep -rn --include='*.py' --include='*.ts' --include='*.js' \ | |
| --include='*.yaml' --include='*.yml' --include='*.json' \ | |
| --include='*.env*' --include='*.cfg' --include='*.ini' \ | |
| -E "$pattern" . \ | |
| --exclude-dir=node_modules --exclude-dir=.git --exclude-dir=dist \ | |
| --exclude-dir=__pycache__ --exclude='*.lock' --exclude='package-lock.json' \ | |
| 2>/dev/null || true) | |
| if [ -n "$MATCHES" ]; then | |
| echo "::warning::Potential secrets found matching pattern: $pattern" | |
| echo "$MATCHES" | head -5 | |
| FOUND=1 | |
| fi | |
| done | |
| if [ "$FOUND" -eq 1 ]; then | |
| echo "::warning::Review the above matches for potential secret exposure" | |
| else | |
| echo "OK: No high-entropy strings matching known secret patterns" | |
| fi |