Add Infisical Secrets Check Workflow

[guibranco]

User description

Closes #

📑 Description

✅ Checks

• My pull request adheres to the code style of this project
• My code requires changes to the documentation
• I have updated the documentation as required
• All the tests have passed

☢️ Does this introduce a breaking change?

• Yes
• No

ℹ Additional Information

---

Description

• Introduced a new workflow to check for secrets in the repository using Infisical.
• The workflow runs on pull requests and can be manually triggered.
• It scans for secrets, generates reports, and uploads artifacts for review.
• Comments are added to the PR based on the scan results, indicating whether secrets were found.

---

Changes walkthrough 📝

	Relevant files
Enhancement	infisical-secrets-check.yml Add Infisical Secrets Check Workflow                                          .github/workflows/infisical-secrets-check.yml Added a new GitHub Actions workflow for Infisical secrets checking. Configured jobs for scanning secrets and generating reports. Implemented artifact uploads for logs and results. Added comments to PR based on scan results. +113/-0

---

💡 Penify usage:
Comment /help on the PR to get a list of all available Penify tools and their descriptions

Summary by CodeRabbit

• New Features
  • Introduced a new automated workflow for checking secrets in the codebase.
  • Provides immediate feedback in pull requests regarding the presence of secrets.
• Documentation
  • Enhanced visibility into security checks performed on the code.

[coderabbitai]

Walkthrough

A new GitHub Actions workflow file named infisical-secrets-check.yml has been added to automate the detection of secrets in the codebase. This workflow is triggered manually or by pull requests and includes a concurrency setting. It features a job that checks out the repository, sets up the Infisical CLI, installs necessary tools, runs a secrets scan, generates reports, uploads artifacts, and comments on the pull request with the scan results.

Changes

File Path	Change Summary
.github/workflows/infisical-secrets-check.yml	Introduced a new workflow for checking secrets in the codebase, including setup, scanning, and reporting steps.

Suggested labels

enhancement, size/S, ☑️ auto-merge, Review effort [1-5]: 1

Suggested reviewers

• gstraccini

Poem

🐰 In the garden of code, secrets we seek,
With a scan so clever, no need to peek.
Pull requests now whisper, "All's safe and sound,"
Thanks to our workflow, no secrets around!
Hopping with joy, we celebrate this feat,
In the patchwork of code, our victory's sweet! 🌼

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[penify-dev]

PR Review 🔍

⏱️ Estimated effort to review [1-5]	2, because the workflow file is relatively straightforward, but it requires understanding of GitHub Actions and the specific tools being used.
🧪 Relevant tests	No
⚡ Possible issues	Possible Bug: The workflow does not handle cases where the Infisical CLI installation fails, which could lead to the workflow failing without clear feedback.
	Possible Improvement: Consider adding error handling for the infisical scan command to ensure that failures are logged and reported appropriately.
🔒 Security concerns	No

[penify-dev]

PR Code Suggestions ✨

Category	Suggestion	Score
Possible issue	Add error handling to the Infisical package source setup command Ensure that the curl command for setting the Infisical package source includes error handling to avoid silent failures. .github/workflows/infisical-secrets-check.yml [28] -run: curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo -E bash +run: curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo -E bash || { echo 'Infisical setup failed'; exit 1; } Suggestion importance[1-10]: 9 Why: Adding error handling to the curl command is crucial to prevent silent failures, which can lead to undetected issues in the workflow.	9
Best practice	Use a specific version for the checkout action to avoid unexpected changes Consider using a specific version tag for the actions/checkout action to ensure consistent behavior across different runs. .github/workflows/infisical-secrets-check.yml [22] -uses: actions/checkout@v4 +uses: actions/checkout@v2 Suggestion importance[1-10]: 8 Why: Using a specific version tag for actions helps avoid unexpected changes in behavior due to updates, which is a good practice in CI/CD workflows.	8
Performance	Refine the condition for uploading artifacts to avoid unnecessary uploads Consider using a more specific condition for the if statements to ensure that the artifacts are uploaded only when necessary. .github/workflows/infisical-secrets-check.yml [59] -if: failure() +if: failure() && steps.log.outputs.contents != '' Suggestion importance[1-10]: 7 Why: Refining the condition for uploading artifacts can improve performance by avoiding unnecessary uploads, although the current implementation is still functional.	7
Maintainability	Rename the job to better reflect its functionality Use a more descriptive name for the job to clarify its purpose in the workflow. .github/workflows/infisical-secrets-check.yml [14] -secrets-scan: +infisical-secrets-scan: Suggestion importance[1-10]: 6 Why: Renaming the job to be more descriptive enhances readability and maintainability, but it is a minor improvement compared to the other suggestions.	6

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (6)

.github/workflows/infisical-secrets-check.yml (6)

1-10: LGTM! Consider removing the extra blank line.

The workflow name, triggers, and concurrency settings are well-defined and appropriate for a secrets check workflow. The concurrency setting is a good practice to prevent redundant runs.

Consider removing the extra blank line at the beginning of the file:

-
 name: Infisical secrets check

🧰 Tools

🪛 yamllint

[warning] 1-1: too many blank lines

(1 > 0) (empty-lines)

---

12-18: LGTM! Consider specifying an Ubuntu version.

The job setup and permissions are well-defined. The permissions are appropriately set to the minimum required, which is a good security practice.

For better reproducibility, consider specifying an Ubuntu version instead of using latest:

- runs-on: ubuntu-latest
+ runs-on: ubuntu-22.04

This ensures consistent behavior across different runs and environments.

🧰 Tools

🪛 yamllint

[error] 13-13: trailing spaces

(trailing-spaces)

---

26-36: LGTM! Consider using a custom Docker image and remove trailing spaces.

The Infisical setup and tool installation steps are clear and use appropriate commands.

To improve workflow execution speed, consider creating a custom Docker image with Infisical and other required tools pre-installed. This can significantly reduce the time spent on setup in each workflow run.

Remove trailing spaces from lines 29, 32, and 36:

- curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo -E bash
+ curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo -E bash
- run: | 
+ run: |
-           npm install -g csv-to-markdown-table
+           npm install -g csv-to-markdown-table

🧰 Tools

🪛 yamllint

[error] 29-29: trailing spaces

(trailing-spaces)

---

[error] 32-32: trailing spaces

(trailing-spaces)

---

[error] 36-36: trailing spaces

(trailing-spaces)

---

37-48: LGTM! Consider simplifying CSV processing.

The scan execution and report generation steps are well-structured:

• The Infisical scan command includes redaction, which is good for security.
• Generating the report only on failure is an efficient approach.

The shell commands for CSV processing are complex and might be hard to maintain. Consider creating a separate script (e.g., Python) to handle CSV processing. This would improve readability and maintainability. For example:

- name: Generate report
  shell: bash
  if: failure()
  run: |
    if [[ -s secrets-result-raw.csv ]]; then
      python process_csv.py secrets-result-raw.csv secrets-result.csv secrets-result.md
    fi

Then create a process_csv.py script to handle the CSV processing logic.

---

50-69: LGTM! Fix indentation in artifact upload steps.

The artifact upload steps are well-configured:

• Conditional uploads prevent unnecessary artifacts.
• Using a specific version of actions/upload-artifact (v4) is a good practice.

Fix the indentation for the 'path' key in two upload steps:

  name: report-log
- path: secrets-result.log
+ path: secrets-result.log

  name: report-md
- path: secrets-result.md
+ path: secrets-result.md

Ensure consistent indentation of 10 spaces for all keys within the with block.

---

85-113: LGTM! Remove trailing spaces in the PR comment messages.

The PR comment update step is well-structured:

• Using different messages for success, failure, and cancellation provides clear feedback.
• Including scan results and using a details section for the full report is informative and keeps the comment concise.

Remove trailing spaces from the PR comment messages:

-            **Infisical secrets check:** :rotating_light: Secrets leaked!     
+            **Infisical secrets check:** :rotating_light: Secrets leaked!
-            
+
-              <summary>🔎 Detected secrets in your GIT history</summary>
+              <summary>🔎 Detected secrets in your GIT history</summary>
-            
+

This will improve code cleanliness and adhere to YAML best practices.

🧰 Tools

🪛 yamllint

[error] 99-99: trailing spaces

(trailing-spaces)

---

[error] 100-100: trailing spaces

(trailing-spaces)

---

[error] 108-108: trailing spaces

(trailing-spaces)

---

[error] 110-110: trailing spaces

(trailing-spaces)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between d63bebe and d577ad5.

📒 Files selected for processing (1)

• .github/workflows/infisical-secrets-check.yml (1 hunks)

🧰 Additional context used

🪛 yamllint

.github/workflows/infisical-secrets-check.yml

[warning] 1-1: too many blank lines

(1 > 0) (empty-lines)

---

[error] 13-13: trailing spaces

(trailing-spaces)

---

[error] 29-29: trailing spaces

(trailing-spaces)

---

[error] 32-32: trailing spaces

(trailing-spaces)

---

[error] 36-36: trailing spaces

(trailing-spaces)

---

[warning] 76-76: wrong indentation: expected 10 but found 9

(indentation)

---

[warning] 83-83: wrong indentation: expected 10 but found 9

(indentation)

---

[error] 99-99: trailing spaces

(trailing-spaces)

---

[error] 100-100: trailing spaces

(trailing-spaces)

---

[error] 108-108: trailing spaces

(trailing-spaces)

---

[error] 110-110: trailing spaces

(trailing-spaces)

🔇 Additional comments (2)

.github/workflows/infisical-secrets-check.yml (2)

21-24: LGTM! Appropriate repository checkout configuration.

The repository checkout step is well-configured:

• Using a specific version of actions/checkout (v4) is a good practice.
• Setting fetch-depth: 0 ensures all history is fetched, which is necessary for a comprehensive secrets scan.

---

1-113: Overall assessment: Well-structured and effective secrets check workflow.

This GitHub Actions workflow for Infisical secrets checking is well-designed and implements good practices for security scanning. The workflow effectively triggers on appropriate events, manages concurrency, and provides clear feedback through PR comments.

Key strengths:

1. Appropriate triggers and concurrency settings.
2. Minimal required permissions.
3. Comprehensive repository checkout for thorough scanning.
4. Conditional artifact uploads and report generation.
5. Clear and informative PR comments with different messages for various outcomes.

Suggested improvements:

1. Consider using a custom Docker image with pre-installed tools to speed up workflow execution.
2. Simplify CSV processing by using a separate script.
3. Fix minor indentation and trailing space issues.
4. Specify an Ubuntu version for better reproducibility.

These improvements will enhance maintainability, reproducibility, and execution speed of the workflow.

🧰 Tools

🪛 yamllint

[warning] 1-1: too many blank lines

(1 > 0) (empty-lines)

---

[error] 13-13: trailing spaces

(trailing-spaces)

---

[error] 29-29: trailing spaces

(trailing-spaces)

---

[error] 32-32: trailing spaces

(trailing-spaces)

---

[error] 36-36: trailing spaces

(trailing-spaces)

---

[warning] 76-76: wrong indentation: expected 10 but found 9

(indentation)

---

[warning] 83-83: wrong indentation: expected 10 but found 9

(indentation)

---

[error] 99-99: trailing spaces

(trailing-spaces)

---

[error] 100-100: trailing spaces

(trailing-spaces)

---

[error] 108-108: trailing spaces

(trailing-spaces)

---

[error] 110-110: trailing spaces

(trailing-spaces)

[github-actions]

Infisical secrets check: ✅ No secrets leaked!

💻 Scan logs

11:56PM INF scanning for exposed secrets...
11:56PM INF 285 commits scanned.
11:56PM INF scan completed in 199ms
11:56PM INF no leaks found

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ +0.00% (target: -1.00%)	✅ ∅

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (472ce52)	1774	4	0.23%
Head commit (33b4ec5)	1774 (+0)	4 (+0)	0.23% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#313)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

_{Codacy stopped sending the deprecated coverage status on June 5th, 2024. Learn more}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[AppVeyorBot]

✅ Build VTEX-SDK-dotnet 2.3.1077 completed (commit ca6a475eb1 by @gstraccini[bot])

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 0.22%. Comparing base (472ce52) to head (33b4ec5).
Report is 1 commits behind head on main.

Additional details and impacted files

@@          Coverage Diff          @@
##            main    #313   +/-   ##
=====================================
  Coverage   0.22%   0.22%           
=====================================
  Files        117     117           
  Lines       1774    1774           
  Branches      75      75           
=====================================
  Hits           4       4           
+ Misses      1770    1768    -2     
- Partials       0       2    +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.