From 98dc20146598938366ba4e5b93d6faf6ef42f134 Mon Sep 17 00:00:00 2001
From: Taiki Ono <taiki@finatext.com>
Date: Mon, 20 Nov 2023 19:17:45 +0900
Subject: [PATCH] Add scan workflow

Signed-off-by: Taiki Ono <taiki@finatext.com>
---
 .github/workflows/secrets-scan.yml | 40 ++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 .github/workflows/secrets-scan.yml

diff --git a/.github/workflows/secrets-scan.yml b/.github/workflows/secrets-scan.yml
new file mode 100644
index 0000000..17bf324
--- /dev/null
+++ b/.github/workflows/secrets-scan.yml
@@ -0,0 +1,40 @@
+name: Secrets scan
+
+on: push
+
+jobs:
+  scan:
+    name: Scan secrets
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup gitleaks
+        env:
+          TARGET: linux_amd64
+          VERSION: 8.18.1-patch1
+          # From https://github.com/taiki45/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_checksums.txt
+          SHA256_SUM: aed536718ac444b6727754ca2e34e243ec1aee8bce928975233709d57bc61387
+        run: |
+          curl -L "https://github.com/taiki45/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_${TARGET}.tar.gz" -O
+          echo "${SHA256_SUM} gitleaks_${VERSION}_${TARGET}.tar.gz" | sha256sum --check
+          # Generate `gitleaks` binary
+          tar --extract --gzip --file "gitleaks_${VERSION}_${TARGET}.tar.gz" --verbose
+          sudo install gitleaks /usr/local/bin/gitleaks
+      - name: Setup gitleaks-support
+        env:
+          TARGET: x86_64-unknown-linux-gnu
+          VERSION: "0.1.0"
+          # From https://github.com/Finatext/gitleaks-support/releases/download/v${VERSION}/gitleaks-support-${TARGET}.tar.gz.sha256
+          SHA256_SUM: 162f2fdb98abba26e05be60137a48b98feec3e3a6e48e68bc0c219a0f32fbd0f
+        run: |
+          curl -L "https://github.com/Finatext/gitleaks-support/releases/download/v${VERSION}/gitleaks-support-${TARGET}.tar.gz" -O
+          echo "${SHA256_SUM} gitleaks-support-${TARGET}.tar.gz" | sha256sum --check
+          tar --extract --gzip --file "gitleaks-support-${TARGET}.tar.gz" --verbose
+          sudo install gitleaks-support /usr/local/bin/gitleaks-support
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Scan secrets
+        env:
+          REPORT_PATH: tmp/report.json
+        run: |
+          mkdir -p tmp
+          gitleaks detect --verbose --exit-code=0 --no-banner --config=dev/gitleaks.toml --report-path="${REPORT_PATH}"
+          gitleaks-support apply --config-path=dev/gitleaks-allowlist.toml --report-path="${REPORT_PATH}"