Skip to content

Add scan workflow

Add scan workflow #4

Workflow file for this run

name: Secrets scan
on: push
jobs:
scan:
name: Scan secrets
runs-on: ubuntu-latest
steps:
- name: Setup gitleaks
env:
TARGET: linux_amd64
VERSION: 8.18.1-patch1
# From https://github.com/taiki45/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_checksums.txt
SHA256_SUM: aed536718ac444b6727754ca2e34e243ec1aee8bce928975233709d57bc61387
run: |
curl -L "https://github.com/taiki45/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_${TARGET}.tar.gz" -O
echo "${SHA256_SUM} gitleaks_${VERSION}_${TARGET}.tar.gz" | sha256sum --check
# Generate `gitleaks` binary
tar --extract --gzip --file "gitleaks_${VERSION}_${TARGET}.tar.gz" --verbose
sudo install gitleaks /usr/local/bin/gitleaks
- name: Setup gitleaks-support
env:
TARGET: x86_64-unknown-linux-gnu
VERSION: "0.1.1"
# From https://github.com/Finatext/gitleaks-support/releases/download/v${VERSION}/gitleaks-support-${TARGET}.tar.gz.sha256
SHA256_SUM: 162f2fdb98abba26e05be60137a48b98feec3e3a6e48e68bc0c219a0f32fbd0f
run: |
curl -L "https://github.com/Finatext/gitleaks-support/releases/download/v${VERSION}/gitleaks-support-${TARGET}.tar.gz" -O
echo "${SHA256_SUM} gitleaks-support-${TARGET}.tar.gz" | sha256sum --check
tar --extract --gzip --file "gitleaks-support-${TARGET}.tar.gz" --verbose
sudo install gitleaks-support /usr/local/bin/gitleaks-support
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Scan secrets
env:
REPORT_PATH: tmp/report.json
run: |
mkdir -p tmp
gitleaks detect --verbose --exit-code=0 --no-banner --config=dev/gitleaks.toml --report-path="${REPORT_PATH}"
gitleaks-support apply --config-path=dev/gitleaks-allowlist.toml --report-path="${REPORT_PATH}"