From 2d4a286b609985f20bfa77e79cbb101cb8fb6e05 Mon Sep 17 00:00:00 2001 From: Guilherme Branco Stracini Date: Sun, 14 Jul 2024 20:44:31 +0100 Subject: [PATCH] Update infisical-secrets-check.yml (#30) --- .github/workflows/infisical-secrets-check.yml | 52 +++++++++++++++---- 1 file changed, 43 insertions(+), 9 deletions(-) diff --git a/.github/workflows/infisical-secrets-check.yml b/.github/workflows/infisical-secrets-check.yml index fb02196..00f623c 100644 --- a/.github/workflows/infisical-secrets-check.yml +++ b/.github/workflows/infisical-secrets-check.yml @@ -26,14 +26,46 @@ jobs: shell: bash run: curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo -E bash - - name: Install Infisical + - name: Install tools shell: bash run: | sudo apt-get update && sudo apt-get install -y infisical + pip install csvkit + npm install -g csv-to-markdown-table - name: Run scan shell: bash - run: infisical scan --redact -f csv -r secrets-result.csv 2>&1 | tee >(sed -r 's/\x1b\[[0-9;]*m//g' > secrets-result.log) + run: infisical scan --redact -f csv -r secrets-result-raw.csv 2>&1 | tee >(sed -r 's/\x1b\[[0-9;]*m//g' >secrets-result.log) + + - name: Generate report + shell: bash + if: failure() + run: | + if [[ -s secrets-result-raw.csv ]]; then + csvformat -M $'\r' secrets-result-raw.csv | sed -e ':a' -e 'N;$!ba' -e 's/\n/\\n/g' | tr '\r' '\n' | head -n 11 >secrets-result.csv + csv-to-markdown-table --delim , --headers secrets-result.md + fi + + - name: Upload artifacts secrets-result.log + uses: actions/upload-artifact@v4 + if: always() + with: + name: report-log + path: secrets-result.log + + - name: Upload artifacts secrets-result.csv + uses: actions/upload-artifact@v4 + if: failure() + with: + name: report-csv + path: secrets-result.csv + + - name: Upload artifacts secrets-result.md + uses: actions/upload-artifact@v4 + if: failure() + with: + name: report-md + path: secrets-result.md - name: Read secrets-result.log uses: guibranco/github-file-reader-action-v2@v2.2.590 @@ -42,12 +74,12 @@ jobs: with: path: secrets-result.log - - name: Read secrets-result.log + - name: Read secrets-result.md uses: guibranco/github-file-reader-action-v2@v2.2.590 if: failure() id: report with: - path: secrets-result.csv + path: secrets-result.md - name: Update PR with comment uses: mshick/add-pr-comment@v2 @@ -62,7 +94,6 @@ jobs: ``` ${{ steps.log.outputs.contents }} ``` - message-failure: | **Infisical secrets check:** :rotating_light: Secrets leaked! @@ -70,9 +101,12 @@ jobs: ``` ${{ steps.log.outputs.contents }} ``` - **Scan report:** - ``` - ${{ steps.report.outputs.contents }} - ``` + +
+ 🔎 Detected secrets in your GIT history + + ${{ steps.report.outputs.contents }} + +
message-cancelled: | **Infisical secrets check:** :o: Secrets check cancelled!