-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
enhancement: add git secrets scan to CI (#2973)
- Loading branch information
1 parent
dc1e303
commit 9131dcd
Showing
1 changed file
with
80 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
name: Git Secrets Scan | ||
|
||
on: | ||
pull_request: | ||
branches: | ||
- master | ||
|
||
jobs: | ||
git-secrets-scan: | ||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v2 | ||
|
||
- name: Set up Git Secrets | ||
run: | | ||
sudo apt-get update | ||
sudo apt-get install -y git | ||
git clone https://github.com/awslabs/git-secrets.git | ||
cd git-secrets | ||
sudo make install | ||
cd .. | ||
git secrets --install | ||
git secrets --register-aws | ||
- name: Fetch previous commit | ||
run: | | ||
git fetch origin +refs/heads/${{ github.base_ref }}:refs/remotes/origin/${{ github.base_ref }} | ||
export DIFF=$(git diff origin/${{ github.base_ref }} HEAD) | ||
echo "${DIFF}" > diff.txt | ||
- name: Filter out skipped patterns | ||
run: | | ||
skippedPrefixes=( | ||
'src/data/s3control/2018-08-20/endpoint-tests-1.json.php' | ||
'tests/DynamoDb/MarshalerTest.php' | ||
'- ' | ||
'\[ERROR\]' | ||
'\\n' | ||
'PHP_EOL' | ||
'Possible' | ||
'/usr/local/bin/git-secrets:' | ||
'tests/S3Control' | ||
'tests/Arn' | ||
) | ||
skippedRegexes=( | ||
'/examples-/' | ||
'/UpdateDataSourceRequest\$Credentials/' | ||
'/"AccountId": "123456789012"/' | ||
'/"AccountId": "999999999999"/' | ||
'/123456789012/' | ||
'/999999999999/' | ||
'/"Username": "username"/' | ||
'/"Password": "password"/' | ||
'/RegisterUserResponse\$UserInvitationUrl/' | ||
) | ||
# Filter out lines matching skipped prefixes | ||
for prefix in "${skippedPrefixes[@]}"; do | ||
sed -i "\|${prefix}|d" diff.txt | ||
done | ||
# Filter out lines matching skipped regexes | ||
for regex in "${skippedRegexes[@]}"; do | ||
sed -i -E "${regex}d" diff.txt | ||
done | ||
- name: Run Git Secrets scan on filtered diff | ||
run: | | ||
if [ -s diff.txt ]; then | ||
cat diff.txt | git secrets --scan - 2>&1 | ||
status=$? | ||
if [ $status -ne 0 ]; then | ||
exit $status | ||
fi | ||
else | ||
echo "No differences found." | ||
fi |