🔐 Upgrade secrets scanning workflow #2
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Secrets scanning workflow for public repositories | |
| name: Secrets Scan | |
| on: | |
| pull_request: | |
| branches: | |
| - master | |
| push: | |
| branches: | |
| - master | |
| jobs: | |
| scan: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Determine commit range | |
| id: range | |
| run: | | |
| if [ "${{ github.event_name }}" = "pull_request" ]; then | |
| BASE_SHA="${{ github.event.pull_request.base.sha }}" | |
| HEAD_SHA="${{ github.event.pull_request.head.sha }}" | |
| echo "log_opts=--no-merges --first-parent ${BASE_SHA}^..${HEAD_SHA}" >> $GITHUB_OUTPUT | |
| elif [ "${{ github.event_name }}" = "push" ]; then | |
| BEFORE_SHA="${{ github.event.before }}" | |
| AFTER_SHA="${{ github.event.after }}" | |
| # check for first commit or single commit | |
| if [ "$BEFORE_SHA" = "0000000000000000000000000000000000000000" ] || [ "$BEFORE_SHA" = "$AFTER_SHA" ]; then | |
| echo "log_opts=-1" >> $GITHUB_OUTPUT | |
| else | |
| echo "log_opts=--no-merges --first-parent ${BEFORE_SHA}^..${AFTER_SHA}" >> $GITHUB_OUTPUT | |
| fi | |
| fi | |
| - name: Download gitleaks | |
| run: | | |
| GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') | |
| curl -fsSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | tar xzf - gitleaks | |
| chmod +x gitleaks | |
| - name: Run scan | |
| id: scan | |
| continue-on-error: true | |
| run: | | |
| ./gitleaks detect \ | |
| --source="." \ | |
| --redact \ | |
| --report-format=json \ | |
| --report-path=results.json \ | |
| --log-opts='${{ steps.range.outputs.log_opts }}' \ | |
| --verbose | |
| - name: Display findings | |
| if: always() && hashFiles('results.json') != '' | |
| run: | | |
| if [ -f results.json ]; then | |
| echo "## Scan Results" | |
| echo "" | |
| # count findings | |
| FINDING_COUNT=$(jq 'length' results.json) | |
| if [ "$FINDING_COUNT" -eq 0 ]; then | |
| echo "✅ No secrets detected" | |
| else | |
| echo "⚠️ Found $FINDING_COUNT secret(s)" | |
| echo "" | |
| echo "| File | Line | Secret Type |" | |
| echo "|------|------|-------------|" | |
| jq -r '.[] | "| \(.File) | \(.StartLine) | \(.RuleID) |"' results.json | |
| echo "" | |
| echo "Remove these secrets from the code to proceed." | |
| fi | |
| fi | |
| - name: Comment on PR if secrets found | |
| if: failure() && github.event_name == 'pull_request' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.payload.pull_request.number, | |
| body: '⚠️ **Secrets detected** - This PR cannot be merged until secrets are removed from the code.' | |
| }); | |
| - name: Fail if secrets detected | |
| if: steps.scan.outcome != 'success' | |
| run: exit 1 |