Make leak-detection readable by humans

Previously when a leak was detected under any circumstance, the workflow would splat out a giant wall of gray, unreadable git-log text. This often enormous text might contain, somewhere, possibly, maybe, a little tiny snippet of code that leaks a secret. Improve the situation greatly by providing easy-to-use URLs that covers the relevant changes based on the triggering context (new pr, force-push, or merge). Store the former (often) giant git-log output into a file and stuff it into the artifacts in case it's ever useful. Signed-off-by: Chris Evich <cevich@redhat.com>
containers · Jan 31, 2024 · 28856b6 · 28856b6
1 parent 4370932
commit 28856b6
Showing 1 changed file with 29 additions and 5 deletions.
diff --git a/.github/workflows/scan-secrets.yml b/.github/workflows/scan-secrets.yml
@@ -73,6 +73,28 @@ jobs:
         run: |
           echo "depth=$((${{ github.event.pull_request.commits }} + 1))" >> $GITHUB_OUTPUT
 
+      # A force-push to a PR can obscure Cirrus-CI logs, but not GHA logs.
+      # Provide handy URL for examination of secret leaks for all events that
+      # trigger this action.
+
+      - if: github.event_name == 'synchronize' || github.base_ref == ''
+        name: Provide URL showing code that needs human eyes (force-push or merge)
+        shell: bash
+        run: |
+          echo "Please review force-push or merged-pr changes for secret-leaks:"
+          before=$(jq -r -e '.before' $GITHUB_EVENT_PATH)
+          after=$(jq -r -e '.after' $GITHUB_EVENT_PATH)
+          echo "https://github.com/${{ github.repository }}/compare/${before}...${after}"
+
+      - if: github.event_name == 'opened'
+        name: Provide URL showing code that needs human eyes (newly opened PR)
+        shell: bash
+        run: |
+          echo "Please review new PR changes for secret-leaks:"
+          before=$(jq -r -e '.github.event.pull_request.base.sha' $GITHUB_EVENT_PATH)
+          after=$(jq -r -e '.github.event.pull_request.head.sha' $GITHUB_EVENT_PATH)
+          echo "https://github.com/${{ github.repository }}/compare/${before}...${after}"
+
       - name: Show important context details
         shell: bash
         run: |
@@ -123,12 +145,11 @@ jobs:
           mkdir ${{ github.workspace }}/_report
           touch ${{ github.workspace }}/_report/gitleaks-report.json
 
-      # A force-push to a PR can obscure Cirrus-CI logs, but not GHA logs
-      - name: Show content being scanned
+      - name: Log all content being scanned to file for archiving
         shell: bash
         run: |
           set -exuo pipefail
-          ${{ env.gitlogcmd }} ${{ steps.gitlog.outputs.range }}
+          ${{ env.gitlogcmd }} ${{ steps.gitlog.outputs.range }} >> ${{ github.workspace }}/git_commits.log
 
       # Unfortunately gitleaks provides several in-built ways to
       # completely bypass an alert within PR-level commits.  Assume
@@ -183,12 +204,15 @@ jobs:
             $glfqin \
             detect $glargs --log-opts=${{ steps.gitlog.outputs.range }}
 
-      - name: Collect scan report artifact
+      - name: Collect git commits log and gitleaks scan report
         if: ${{ !cancelled() }}
         uses: actions/upload-artifact@v4
         with:
           name: gitleaks-report
-          path: ${{ github.workspace }}/_report/gitleaks-report.json
+          path: |
+            ${{ github.event_path }}
+            ${{ github.workspace }}/git_commits.log
+            ${{ github.workspace }}/_report/gitleaks-report.json
 
       # Nobody monitors the actions-tab for failures, and may not see this
       # fail on push to a nefarious PR.  Send an e-mail alert to unmask