From 13f926b84eee91ab9609ff03e4e01f21f403d24e Mon Sep 17 00:00:00 2001 From: Tanya Date: Thu, 8 Jan 2026 13:30:37 -0500 Subject: [PATCH] chore: Enhance CI workflow with detailed secret scanning and reporting This commit updates the CI workflow to include a more comprehensive secret scanning process using gitleaks. It adds steps to install jq for parsing the report and displays the results in the GitHub step summary, including total leaks found and detailed leak information. This enhancement improves security by ensuring that any sensitive information is promptly identified and addressed. --- .gitea/workflows/ci.yml | 49 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 1c1218f..658b085 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -480,9 +480,56 @@ jobs: fetch-depth: 0 - name: Scan for secrets - run: gitleaks detect --source . --no-banner --redact --exit-code 0 + run: | + gitleaks detect \ + --source . \ + --no-banner \ + --redact \ + --verbose \ + --platform git.levkin.ca \ + --report-path gitleaks-report.json \ + --exit-code 0 continue-on-error: true + - name: Install jq for report parsing + run: apk add --no-cache jq + + - name: Display secret scan results + if: always() + run: | + if [ -f gitleaks-report.json ]; then + echo "## 🔐 Secret Scan Results" >> $GITHUB_STEP_SUMMARY || true + echo "" >> $GITHUB_STEP_SUMMARY || true + + # Count leaks + LEAK_COUNT=$(jq 'length' gitleaks-report.json 2>/dev/null || echo "0") + echo "**Total leaks found: $LEAK_COUNT**" >> $GITHUB_STEP_SUMMARY || true + echo "" >> $GITHUB_STEP_SUMMARY || true + + if [ "$LEAK_COUNT" -gt 0 ]; then + echo "### Leak Details" >> $GITHUB_STEP_SUMMARY || true + echo "" >> $GITHUB_STEP_SUMMARY || true + echo "| File | Line | Rule | Description | Commit |" >> $GITHUB_STEP_SUMMARY || true + echo "|------|------|------|-------------|--------|" >> $GITHUB_STEP_SUMMARY || true + + # Extract and display leak details + jq -r '.[] | "| \(.File) | \(.Line) | \(.RuleID) | \(.Description // "N/A") | \(.Commit // "N/A") |"' gitleaks-report.json >> $GITHUB_STEP_SUMMARY || true + echo "" >> $GITHUB_STEP_SUMMARY || true + + echo "### Full Report (JSON)" >> $GITHUB_STEP_SUMMARY || true + echo '```json' >> $GITHUB_STEP_SUMMARY || true + cat gitleaks-report.json >> $GITHUB_STEP_SUMMARY || true + echo '```' >> $GITHUB_STEP_SUMMARY || true + + echo "" >> $GITHUB_STEP_SUMMARY || true + echo "⚠️ **Action Required:** Review and remove the secrets found above." >> $GITHUB_STEP_SUMMARY || true + else + echo "✅ No secrets detected!" >> $GITHUB_STEP_SUMMARY || true + fi + else + echo "⚠️ No report file generated" >> $GITHUB_STEP_SUMMARY || true + fi + dependency-scan: needs: skip-ci-check if: needs.skip-ci-check.outputs.should-skip != '1'