From b8eba43ae56b968f97cdfb580271e3796e62ddbc Mon Sep 17 00:00:00 2001 From: Sean O'Brien Date: Tue, 30 Jul 2024 14:23:30 -0400 Subject: [PATCH] enhancement: add git secrets scan to CI --- .github/workflows/git-secrets-scan.yml | 80 ++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 .github/workflows/git-secrets-scan.yml diff --git a/.github/workflows/git-secrets-scan.yml b/.github/workflows/git-secrets-scan.yml new file mode 100644 index 0000000000..f033bd2949 --- /dev/null +++ b/.github/workflows/git-secrets-scan.yml @@ -0,0 +1,80 @@ +name: Git Secrets Scan + +on: + pull_request: + branches: + - master + +jobs: + git-secrets-scan: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Set up Git Secrets + run: | + sudo apt-get update + sudo apt-get install -y git + git clone https://github.com/awslabs/git-secrets.git + cd git-secrets + sudo make install + cd .. + git secrets --install + git secrets --register-aws + + - name: Fetch previous commit + run: | + git fetch origin +refs/heads/${{ github.base_ref }}:refs/remotes/origin/${{ github.base_ref }} + export DIFF=$(git diff origin/${{ github.base_ref }} HEAD) + echo "${DIFF}" > diff.txt + + - name: Filter out skipped patterns + run: | + skippedPrefixes=( + 'src/data/s3control/2018-08-20/endpoint-tests-1.json.php' + 'tests/DynamoDb/MarshalerTest.php' + '- ' + '\[ERROR\]' + '\\n' + 'PHP_EOL' + 'Possible' + '/usr/local/bin/git-secrets:' + 'tests/S3Control' + 'tests/Arn' + ) + + skippedRegexes=( + '/examples-/' + '/UpdateDataSourceRequest\$Credentials/' + '/"AccountId": "123456789012"/' + '/"AccountId": "999999999999"/' + '/123456789012/' + '/999999999999/' + '/"Username": "username"/' + '/"Password": "password"/' + '/RegisterUserResponse\$UserInvitationUrl/' + ) + + # Filter out lines matching skipped prefixes + for prefix in "${skippedPrefixes[@]}"; do + sed -i "\|${prefix}|d" diff.txt + done + + # Filter out lines matching skipped regexes + for regex in "${skippedRegexes[@]}"; do + sed -i -E "${regex}d" diff.txt + done + + - name: Run Git Secrets scan on filtered diff + run: | + if [ -s diff.txt ]; then + cat diff.txt | git secrets --scan - 2>&1 + status=$? + if [ $status -ne 0 ]; then + exit $status + fi + else + echo "No differences found." + fi \ No newline at end of file