-
Notifications
You must be signed in to change notification settings - Fork 1
57 lines (49 loc) · 2.21 KB
/
secret-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# look for secrets pushed by mistake
# NOTE: To fix problematic commits that got references to detected secrets, execute the following:
# 1. Assuming the branch is built on top of master for a PR
# >> git rebase -i master
# 2. Then, replace "pick" by "squash" for matched problematic commits
# If this didn't work, more advanced edit of history commits needs to be applied.
# Please refer to git interactive rebase documentation to do so.
# 3. Finally re-run secrets analysis to validate that problems where fixed
name: Secret Scan
on:
- pull_request
- push
jobs:
#trufflehog:
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@master
# - name: trufflehog-actions-scan
# uses: edplato/trufflehog-actions-scan@master
#- uses: max/secret-scan@master
# with:
# repo-token: "${{ secrets.GITHUB_TOKEN }}"
# ref: https://github.com/svdarren/secrets-workflow/blob/9633bc1195a1ca1d4d70415aa4eff6cf55d706de/.github/workflows/secrets.yml
gitleak:
name: gitleaks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
fetch-depth: '0'
- name: Install dependencies
run: docker pull zricethezav/gitleaks
#- run: |
# docker run --name=gitleaks --volume $GITHUB_WORKSPACE:/workspace/ \
# -v --exclude-forks --redact --threads=1 --branch=$GITHUB_REF --repo-path=/workspace/
#- run: docker run --rm --name=gitleaks -v /tmp/:/code/ zricethezav/gitleaks -v --repo-path=/code/gitleaks
# @todo command is failing
#- run: gitleaks -v --exclude-forks --redact --threads=1 --branch=$GITHUB_REF --repo-path=$GITHUB_WORKSPACE
# FIXME: revert to original repo when (if) they ever consider the fix
# https://github.com/eshork/gitleaks-action/pull/4
# https://github.com/eshork/gitleaks-action/issues/3
- uses: fmigneault/gitleaks-action@master
#- uses: eshork/[email protected]
# NOTE:
# does the same as gitleaks-action, but over the whole git history + posts found problem on issue/PR comments
# disable as it causes old (fixed) problems to be detected
#- uses: CySeq/gitcret@v2
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}