feat(secret_scan): add all-secrets option #2273

Workflow file for this run

	name: CI

	# About steps requiring the GITGUARDIAN_API_KEY:
	#
	# For security reasons, secrets are not available when a workflow is triggered by a pull request from a fork. This
	# causes all steps requiring the GITGUARDIAN_API_KEY to fail. To avoid this, we skip those steps when we are triggered
	# by a pull request from a fork.

	on:
	pull_request:
	push:
	branches:
	- '*'
	tags-ignore:
	- '*'
	paths-ignore:
	- 'doc/**'
	- 'README.md'

	jobs:
	lint:
	name: Lint package
	runs-on: ubuntu-22.04
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Set up Python 3.10
	uses: actions/setup-python@v5
	with:
	python-version: '3.10'

	- name: Install dependencies
	run: \|
	python -m pip install --upgrade pip
	python -m pip install pipenv==2023.12.1 pre-commit
	pipenv install --dev --skip-lock

	- uses: actions/cache@v3
	with:
	path: ~/.cache/pre-commit
	key: pre-commit\|${{ env.pythonLocation }}\|${{ hashFiles('.pre-commit-config.yaml') }}

	- name: Install pre-commit hooks
	run: pre-commit install --install-hooks

	- name: Skip ggshield hooks when running from a fork
	# See note about steps requiring the GITGUARDIAN_API at the top of this file
	if: ${{ github.event.pull_request.head.repo.fork }}
	run: \|
	echo "SKIP=ggshield,ggshield-local" >> $GITHUB_ENV

	- name: Run pre-commit checks
	run: \|
	pre-commit run --show-diff-on-failure --all-files
	env:
	GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}

	- name: Check commit messages
	if: github.event_name == 'pull_request'
	run: \|
	PR_REF="${GITHUB_REF%/merge}/head"
	git fetch origin "$PR_REF"
	if git log --format=%s "origin/$GITHUB_BASE_REF..FETCH_HEAD" \| grep '^fixup!' ; then
	echo 'Error: this pull request contains fixup commits. Squash them.'
	exit 1
	fi
	# In case `git log` fails
	exit "${PIPESTATUS[0]}"

	build:
	name: Build and Test
	runs-on: ${{ matrix.os }}
	env:
	# We skip pipenv lockfile by default, because a Pipfile.lock should only
	# be used for the Python version it was generated for.
	PIPENV_SKIP_LOCK: 1
	strategy:
	fail-fast: false
	matrix:
	os: [ubuntu-22.04, macos-13, windows-2022]
	python-version: ['3.8', '3.9', '3.10', '3.11']
	steps:
	- uses: actions/checkout@v4
	with:
	# Get enough commits to run `ggshield secret scan commit-range` on ourselves
	fetch-depth: 10

	- name: Set up Python ${{ matrix.python-version }}
	uses: actions/setup-python@v5
	with:
	python-version: ${{ matrix.python-version }}

	- name: Use Pipfile.lock on locked version of Python
	# Keep version in sync with scripts/update-pipfile-lock/Dockerfile
	if: matrix.python-version == '3.10'
	run: \|
	echo "PIPENV_SKIP_LOCK=0" >> $GITHUB_ENV

	- name: Install dependencies
	run: \|
	python -m pip install --upgrade pip
	python -m pip install --upgrade pipenv==2023.12.1
	pipenv install --system --dev
	- name: Install Windows dev dependencies
	if: matrix.os == 'windows-2022'
	run: \|
	# Those are win32-only dependencies from pytest
	python -m pip install atomicwrites colorama

	- name: Override base Docker image used for functional tests on Windows
	if: matrix.os == 'windows-2022'
	# This is required because GitHub Windows runner is not configured to
	# run Linux-based Docker images
	shell: bash
	run: \|
	echo "GGTEST_DOCKER_IMAGE=mcr.microsoft.com/windows/nanoserver:ltsc2022" >> $GITHUB_ENV

	- name: Ensure a clean package installation
	run: \|
	pip install build wheel check-wheel-contents
	python -m build --wheel
	# The created wheel (.whl) file will be found and analyzed within the `dist/` folder
	check-wheel-contents dist/

	- name: Run unit tests
	run: \|
	coverage run --source ggshield -m pytest --disable-pytest-warnings --disable-socket tests/unit

	- name: Gather coverage report
	run: \|
	coverage report --fail-under=80
	coverage xml

	- uses: codecov/codecov-action@v4
	with:
	file: ./coverage.xml
	flags: unittests
	name: codecov-umbrella
	token: ${{ secrets.CODECOV_TOKEN }}
	fail_ci_if_error: false

	- name: Run functional tests
	# See note about steps requiring the GITGUARDIAN_API at the top of this file
	if: ${{ !github.event.pull_request.head.repo.fork }}
	shell: bash
	run: \|
	make functest
	env:
	GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
	GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}
	TEST_KNOWN_SECRET: ${{ secrets.TEST_KNOWN_SECRET }}
	TEST_GG_VALID_TOKEN: ${{ secrets.TEST_GG_VALID_TOKEN }}
	TEST_GG_VALID_TOKEN_IGNORE_SHA: ${{ secrets.TEST_GG_VALID_TOKEN_IGNORE_SHA }}
	TEST_UNKNOWN_SECRET: ${{ secrets.TEST_UNKNOWN_SECRET }}

	build_os_packages:
	uses: ./.github/workflows/build_release_assets.yml
	secrets: inherit

	test_github_secret_scan_action:
	name: Test GitHub action for `secret scan`
	# See note about steps requiring the GITGUARDIAN_API at the top of this file
	if: ${{ !github.event.pull_request.head.repo.fork }}
	runs-on: ubuntu-22.04
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- name: Scan commits for hardcoded secrets
	uses: ./actions-unstable/secret
	env:
	GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
	GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
	GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
	GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
	GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}

	test_github_iac_scan_action:
	name: Test GitHub action for `iac scan`
	# See note about steps requiring the GITGUARDIAN_API at the top of this file
	if: ${{ !github.event.pull_request.head.repo.fork }}
	runs-on: ubuntu-22.04
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- name: Scan commits for IaC vulnerabilities
	uses: ./actions-unstable/iac
	with:
	args: .
	env:
	GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
	GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}

	test_github_sca_scan_action:
	name: Test GitHub action for `sca scan`
	# See note about steps requiring the GITGUARDIAN_API at the top of this file
	if: ${{ !github.event.pull_request.head.repo.fork }}
	runs-on: ubuntu-22.04
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- name: Scan commits for SCA vulnerabilities
	uses: ./actions-unstable/sca
	with:
	args: .
	env:
	GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
	GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}

	dockerhub-unstable:
	name: Push Docker image to Docker Hub
	runs-on: ubuntu-22.04
	if: github.ref == 'refs/heads/main' && github.event_name == 'push'
	needs:
	- lint
	- build
	- test_github_iac_scan_action
	- test_github_sca_scan_action
	- test_github_secret_scan_action
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Build and push
	uses: docker/build-push-action@v1
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}
	repository: gitguardian/ggshield
	tags: unstable

	github_packages-unstable:
	name: Push Docker image to GitHub Packages
	runs-on: ubuntu-22.04
	if: github.ref == 'refs/heads/main' && github.event_name == 'push'
	needs:
	- lint
	- build
	- test_github_iac_scan_action
	- test_github_sca_scan_action
	- test_github_secret_scan_action
	steps:
	- name: Check out the repo
	uses: actions/checkout@v4
	- name: Push to GitHub Packages
	uses: docker/build-push-action@v1
	with:
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	registry: docker.pkg.github.com
	repository: gitguardian/ggshield/ggshield
	tags: unstable

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(secret_scan): add all-secrets option #2273

Workflow file

feat(secret_scan): add all-secrets option #2273

Jobs

Run details

Workflow file for this run