.github/workflows/secrets-scan.yml

name: Secrets scan

on: push

jobs:
  scan:
    name: Scan secrets
    runs-on: ubuntu-latest
    steps:
      - name: Setup gitleaks
        env:
          TARGET: linux_amd64
          VERSION: 8.18.1-patch1
          # From https://github.com/taiki45/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_checksums.txt
          SHA256_SUM: aed536718ac444b6727754ca2e34e243ec1aee8bce928975233709d57bc61387
        # Explicitly specifing `bash` changes behavior: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell
        shell: bash
        run: |
          set -x
          curl -L "https://github.com/taiki45/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_${TARGET}.tar.gz" -O
          echo "${SHA256_SUM} gitleaks_${VERSION}_${TARGET}.tar.gz" | sha256sum --check
          # Generate `gitleaks` binary
          tar --extract --gzip --file "gitleaks_${VERSION}_${TARGET}.tar.gz" --verbose
          sudo install gitleaks /usr/local/bin/gitleaks
      - name: Setup gls
        env:
          TARGET: x86_64-unknown-linux-gnu
          VERSION: "0.1.2"
          # From https://github.com/Finatext/gls/releases/download/v${VERSION}/gls-${TARGET}.tar.gz.sha256
          SHA256_SUM: d7ce5c901b03ae81b10ccd41d7a0328d9752a45e6433cac27e7720d15462c9a7
        shell: bash
        run: |
          set -x
          curl -L "https://github.com/Finatext/gls/releases/download/v${VERSION}/gls-${TARGET}.tar.gz" -O
          echo "${SHA256_SUM} gls-${TARGET}.tar.gz" | sha256sum --check
          tar --extract --gzip --file "gls-${TARGET}.tar.gz" --verbose
          sudo install gls /usr/local/bin/gls
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Scan secrets
        env:
          REPORT_PATH: tmp/report.json
        shell: bash
        run: |
          set -x
          mkdir -p tmp
          gitleaks detect --verbose --exit-code=0 --no-banner --config=dev/gitleaks.toml --report-path="${REPORT_PATH}"
          gls apply --config-path=dev/gitleaks-allowlist.toml --report-path="${REPORT_PATH}"