Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[skip-ci] Make leak-detection readable by humans #21459

Merged
merged 1 commit into from
Jan 31, 2024
Merged

[skip-ci] Make leak-detection readable by humans #21459

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 29 additions & 5 deletions .github/workflows/scan-secrets.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,28 @@ jobs:
run: |
echo "depth=$((${{ github.event.pull_request.commits }} + 1))" >> $GITHUB_OUTPUT

# A force-push to a PR can obscure Cirrus-CI logs, but not GHA logs.
# Provide handy URL for examination of secret leaks for all events that
# trigger this action.

- if: github.event_name == 'synchronize' || github.base_ref == ''
name: Provide URL showing code that needs human eyes (force-push or merge)
shell: bash
run: |
echo "Please review force-push or merged-pr changes for secret-leaks:"
before=$(jq -r -e '.before' $GITHUB_EVENT_PATH)
after=$(jq -r -e '.after' $GITHUB_EVENT_PATH)
echo "https://github.com/${{ github.repository }}/compare/${before}...${after}"

- if: github.event_name == 'opened'
name: Provide URL showing code that needs human eyes (newly opened PR)
shell: bash
run: |
echo "Please review new PR changes for secret-leaks:"
before=$(jq -r -e '.github.event.pull_request.base.sha' $GITHUB_EVENT_PATH)
after=$(jq -r -e '.github.event.pull_request.head.sha' $GITHUB_EVENT_PATH)
echo "https://github.com/${{ github.repository }}/compare/${before}...${after}"

- name: Show important context details
shell: bash
run: |
Expand Down Expand Up @@ -123,12 +145,11 @@ jobs:
mkdir ${{ github.workspace }}/_report
touch ${{ github.workspace }}/_report/gitleaks-report.json

# A force-push to a PR can obscure Cirrus-CI logs, but not GHA logs
- name: Show content being scanned
- name: Log all content being scanned to file for archiving
shell: bash
run: |
set -exuo pipefail
${{ env.gitlogcmd }} ${{ steps.gitlog.outputs.range }}
${{ env.gitlogcmd }} ${{ steps.gitlog.outputs.range }} >> ${{ github.workspace }}/git_commits.log

# Unfortunately gitleaks provides several in-built ways to
# completely bypass an alert within PR-level commits. Assume
Expand Down Expand Up @@ -183,12 +204,15 @@ jobs:
$glfqin \
detect $glargs --log-opts=${{ steps.gitlog.outputs.range }}

- name: Collect scan report artifact
- name: Collect git commits log and gitleaks scan report
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: gitleaks-report
path: ${{ github.workspace }}/_report/gitleaks-report.json
path: |
${{ github.event_path }}
${{ github.workspace }}/git_commits.log
${{ github.workspace }}/_report/gitleaks-report.json

# Nobody monitors the actions-tab for failures, and may not see this
# fail on push to a nefarious PR. Send an e-mail alert to unmask
Expand Down
Loading