Merge pull request #1080 from anarkiwi/sp #2375
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: secrets | |
on: [push, pull_request] | |
jobs: | |
scan: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: scan | |
run: | | |
export DEBIAN_FRONTEND=noninteractive && \ | |
echo 'debconf debconf/frontend select Noninteractive' | sudo debconf-set-selections && \ | |
sudo apt-get update && \ | |
python3 -m pip install --upgrade pip && \ | |
pip3 install whispers && \ | |
mkdir /home/runner/reports/ && \ | |
whispers --severity BLOCKER,CRITICAL -o /home/runner/reports/whispers.json -c ${GITHUB_WORKSPACE}/.github/workflows/config/whispers-config.yml ${GITHUB_WORKSPACE} && \ | |
echo "::set-output name=found-count::$(wc -l /home/runner/reports/whispers.json | cut -d' ' -f1)" | |
- name: Fail if found | |
if: steps.scan.outputs.found-count != 0 | |
uses: actions/github-script@v7 | |
with: | |
script: | | |
echo {{steps.scan.outputs.found-count}} && \ | |
core.setFailed('Secrets found. Please check the uploaded report') | |
- name: Upload scan reports | |
uses: actions/[email protected] | |
if: failure() | |
with: | |
name: whispers-report | |
path: /home/runner/reports/whispers.json |