chore: Enhance CI workflow with detailed secret scanning and reporting
All checks were successful
CI / skip-ci-check (pull_request) Successful in 1m29s
CI / lint-and-type-check (pull_request) Successful in 2m6s
CI / python-lint (pull_request) Successful in 1m46s
CI / test-backend (pull_request) Successful in 3m10s
CI / build (pull_request) Successful in 2m25s
CI / secret-scanning (pull_request) Successful in 1m31s
CI / dependency-scan (pull_request) Successful in 1m36s
CI / sast-scan (pull_request) Successful in 2m46s
CI / workflow-summary (pull_request) Successful in 1m27s
All checks were successful
CI / skip-ci-check (pull_request) Successful in 1m29s
CI / lint-and-type-check (pull_request) Successful in 2m6s
CI / python-lint (pull_request) Successful in 1m46s
CI / test-backend (pull_request) Successful in 3m10s
CI / build (pull_request) Successful in 2m25s
CI / secret-scanning (pull_request) Successful in 1m31s
CI / dependency-scan (pull_request) Successful in 1m36s
CI / sast-scan (pull_request) Successful in 2m46s
CI / workflow-summary (pull_request) Successful in 1m27s
This commit updates the CI workflow to include a more comprehensive secret scanning process using gitleaks. It adds steps to install jq for parsing the report and displays the results in the GitHub step summary, including total leaks found and detailed leak information. This enhancement improves security by ensuring that any sensitive information is promptly identified and addressed.
This commit is contained in:
parent
bd3fb5ce74
commit
13f926b84e
@ -480,9 +480,56 @@ jobs:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Scan for secrets
|
||||
run: gitleaks detect --source . --no-banner --redact --exit-code 0
|
||||
run: |
|
||||
gitleaks detect \
|
||||
--source . \
|
||||
--no-banner \
|
||||
--redact \
|
||||
--verbose \
|
||||
--platform git.levkin.ca \
|
||||
--report-path gitleaks-report.json \
|
||||
--exit-code 0
|
||||
continue-on-error: true
|
||||
|
||||
- name: Install jq for report parsing
|
||||
run: apk add --no-cache jq
|
||||
|
||||
- name: Display secret scan results
|
||||
if: always()
|
||||
run: |
|
||||
if [ -f gitleaks-report.json ]; then
|
||||
echo "## 🔐 Secret Scan Results" >> $GITHUB_STEP_SUMMARY || true
|
||||
echo "" >> $GITHUB_STEP_SUMMARY || true
|
||||
|
||||
# Count leaks
|
||||
LEAK_COUNT=$(jq 'length' gitleaks-report.json 2>/dev/null || echo "0")
|
||||
echo "**Total leaks found: $LEAK_COUNT**" >> $GITHUB_STEP_SUMMARY || true
|
||||
echo "" >> $GITHUB_STEP_SUMMARY || true
|
||||
|
||||
if [ "$LEAK_COUNT" -gt 0 ]; then
|
||||
echo "### Leak Details" >> $GITHUB_STEP_SUMMARY || true
|
||||
echo "" >> $GITHUB_STEP_SUMMARY || true
|
||||
echo "| File | Line | Rule | Description | Commit |" >> $GITHUB_STEP_SUMMARY || true
|
||||
echo "|------|------|------|-------------|--------|" >> $GITHUB_STEP_SUMMARY || true
|
||||
|
||||
# Extract and display leak details
|
||||
jq -r '.[] | "| \(.File) | \(.Line) | \(.RuleID) | \(.Description // "N/A") | \(.Commit // "N/A") |"' gitleaks-report.json >> $GITHUB_STEP_SUMMARY || true
|
||||
echo "" >> $GITHUB_STEP_SUMMARY || true
|
||||
|
||||
echo "### Full Report (JSON)" >> $GITHUB_STEP_SUMMARY || true
|
||||
echo '```json' >> $GITHUB_STEP_SUMMARY || true
|
||||
cat gitleaks-report.json >> $GITHUB_STEP_SUMMARY || true
|
||||
echo '```' >> $GITHUB_STEP_SUMMARY || true
|
||||
|
||||
echo "" >> $GITHUB_STEP_SUMMARY || true
|
||||
echo "⚠️ **Action Required:** Review and remove the secrets found above." >> $GITHUB_STEP_SUMMARY || true
|
||||
else
|
||||
echo "✅ No secrets detected!" >> $GITHUB_STEP_SUMMARY || true
|
||||
fi
|
||||
else
|
||||
echo "⚠️ No report file generated" >> $GITHUB_STEP_SUMMARY || true
|
||||
fi
|
||||
|
||||
dependency-scan:
|
||||
needs: skip-ci-check
|
||||
if: needs.skip-ci-check.outputs.should-skip != '1'
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user