From 06a03230fa19739e0ef31b2a68fdd0a45205f919 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Pablo=20Castrill=C3=B3n?= Date: Sat, 20 Sep 2025 18:18:10 -0400 Subject: [PATCH 1/7] Fix fetch-depth --- .github/workflows/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 0ea22e8..f0cb0eb 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -35,7 +35,8 @@ jobs: - name: Clean gitleaks run: rm /tmp/gitleaks.tmp - uses: actions/checkout@v4 - with: { fetch-depth: 0 } # para análisis que miran historial + with: + fetch-depth: 0 # para análisis que miran historial - name: Gitleaks uses: gitleaks/gitleaks-action@v2 env: @@ -48,7 +49,7 @@ jobs: needs: [secrets] steps: - uses: actions/checkout@v4 - - name: Semgrep (bloqueante) + - name: Semgrep (no bloqueante) run: | docker run --rm -v "$PWD:/src" returntocorp/semgrep:latest \ semgrep scan --config p/ci --config .semgrep From b883d20fac2751df9b2d7d314fbd8283401bbb1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Pablo=20Castrill=C3=B3n?= Date: Sat, 20 Sep 2025 18:20:58 -0400 Subject: [PATCH 2/7] Force clean --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f0cb0eb..30c9719 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -33,7 +33,7 @@ jobs: runs-on: self-hosted steps: - name: Clean gitleaks - run: rm /tmp/gitleaks.tmp + run: rm -f /tmp/gitleaks.tmp - uses: actions/checkout@v4 with: fetch-depth: 0 # para análisis que miran historial From 4c45be71ba1316ff331ecb94027197fedc32a643 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Pablo=20Castrill=C3=B3n?= Date: Sat, 20 Sep 2025 18:23:04 -0400 Subject: [PATCH 3/7] Create .gitleaks.toml --- .gitleaks.toml | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 .gitleaks.toml diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000..9e57b56 --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,40 @@ +title = "gitleaks config" + +[extend] +useDefault = true + +[[rules]] +description = "AWS Access Key" +id = "aws-access-key" +regex = '''AKIA[0-9A-Z]{16}''' +tags = ["key", "AWS"] + +[[rules]] +description = "AWS Secret Key" +id = "aws-secret-key" +regex = '''([^A-Za-z0-9/+=]{0,20}[A-Za-z0-9/+=]{40})?''' +tags = ["key", "AWS"] + +[[rules]] +description = "Generic API Key" +id = "generic-api-key" +regex = '''key|token|secret|password.*=.*['\"][0-9a-zA-Z]{20,45}['\"]''' +tags = ["key", "API"] + +[[rules]] +description = "Private Key" +id = "private-key" +regex = '''-----BEGIN (RSA|DSA|EC|OPENSSH|PGP) PRIVATE KEY-----''' +tags = ["key", "private"] + +[[rules]] +description = "Password in URL" +id = "password-in-url" +regex = '''[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}["'\s]''' +tags = ["password", "URL"] + +[[rules]] +description = "Slack Token" +id = "slack-token" +regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?''' +tags = ["key", "Slack"] From 8657dc25f755f78dc4ad30a0c333f7906614cd80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Pablo=20Castrill=C3=B3n?= Date: Sat, 20 Sep 2025 18:30:10 -0400 Subject: [PATCH 4/7] Test permisssions for gitleaks --- .github/workflows/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 30c9719..43ca9bc 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -10,6 +10,8 @@ permissions: contents: read security-events: write packages: write # útil si luego publicas en GHCR + discussions: write + pull-requests: write concurrency: group: devsecops-${{ github.ref }} From 1ef91e810058e914fc6faec11b9a2a479f9a7849 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Pablo=20Castrill=C3=B3n?= Date: Sat, 20 Sep 2025 18:34:24 -0400 Subject: [PATCH 5/7] Add .gitleaksignore --- .gitleaksignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitleaksignore diff --git a/.gitleaksignore b/.gitleaksignore new file mode 100644 index 0000000..0b74731 --- /dev/null +++ b/.gitleaksignore @@ -0,0 +1 @@ +06a03230fa19739e0ef31b2a68fdd0a45205f919:.github/workflows/main.yml:aws-secret-key:38 From ac166c0e2ec11ce6c71663e90f1eb0558a9cd578 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Pablo=20Castrill=C3=B3n?= Date: Sat, 20 Sep 2025 18:40:52 -0400 Subject: [PATCH 6/7] Minor fixes --- .gitleaks.toml | 2 +- .gitleaksignore | 10 +++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/.gitleaks.toml b/.gitleaks.toml index 9e57b56..8b59776 100644 --- a/.gitleaks.toml +++ b/.gitleaks.toml @@ -12,7 +12,7 @@ tags = ["key", "AWS"] [[rules]] description = "AWS Secret Key" id = "aws-secret-key" -regex = '''([^A-Za-z0-9/+=]{0,20}[A-Za-z0-9/+=]{40})?''' +aregex = '''([^A-Za-z0-9/+=]{0,20}[A-Za-z0-9/+=]{40})?''' tags = ["key", "AWS"] [[rules]] diff --git a/.gitleaksignore b/.gitleaksignore index 0b74731..3f3fe54 100644 --- a/.gitleaksignore +++ b/.gitleaksignore @@ -1 +1,9 @@ -06a03230fa19739e0ef31b2a68fdd0a45205f919:.github/workflows/main.yml:aws-secret-key:38 +# Ignore specific patterns in JSON files +**/*.json:prisidio_xapikey + +# Ignore specific values in JSON files +**/*.json:{"prisidio_xapikey": "*"} + +# Ignore specific pattern +*.toml +.gitleaksignore \ No newline at end of file From 18a8f2827bdeb36c7f48196e00ab31c408186c75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Pablo=20Castrill=C3=B3n?= Date: Sat, 20 Sep 2025 18:42:21 -0400 Subject: [PATCH 7/7] Minor fixes --- gitleaks.toml | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 gitleaks.toml diff --git a/gitleaks.toml b/gitleaks.toml deleted file mode 100644 index a3084aa..0000000 --- a/gitleaks.toml +++ /dev/null @@ -1,6 +0,0 @@ -title = "gitleaks config (demo)" -[[rules]] -id = "aws-access-key" -description = "AWS Access Key ID" -regex = '''AKIA[0-9A-Z]{16}''' -tags = ["key", "AWS"]