git-flow/.github/workflows/gitleaks-scan.yml at main · samuelho-dev/git-flow · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
name: 'Gitleaks Secret Scan'

on:
  workflow_call:
    inputs:
      scan-path:
        description: 'Path to scan for secrets'
        required: false
        type: string
        default: '.'
      config-path:
        description: 'Path to gitleaks config file'
        required: false
        type: string
        default: ''
      format:
        description: 'Output format (json, sarif, csv)'
        required: false
        type: string
        default: 'sarif'
      fail-on-findings:
        description: 'Fail workflow if secrets are found'
        required: false
        type: boolean
        default: true
      upload-sarif:
        description: 'Upload SARIF results to GitHub Security'
        required: false
        type: boolean
        default: true
      baseline-path:
        description: 'Path to gitleaks baseline file (ignore known findings)'
        required: false
        type: string
        default: ''
      log-level:
        description: 'Log level (debug, info, warn, error, fatal)'
        required: false
        type: string
        default: 'info'
      runs-on:
        description: 'Runner label to execute the job on'
        required: false
        type: string
        default: 'homelab-runners'
    outputs:
      findings-count:
        description: 'Number of secrets found'
        value: ${{ jobs.scan.outputs.findings }}
      sarif-path:
        description: 'Path to SARIF output file'
        value: ${{ jobs.scan.outputs.sarif-path }}

permissions:
  contents: read
  security-events: write

jobs:
  scan:
    name: Gitleaks Secret Scan
    runs-on: ${{ inputs.runs-on }}
    timeout-minutes: 10
    outputs:
      findings: ${{ steps.count.outputs.findings }}
      sarif-path: 'gitleaks-results.sarif'

    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

      - name: Run Gitleaks scan
        id: scan
        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITLEAKS_CONFIG: ${{ inputs.config-path }}
          GITLEAKS_BASELINE: ${{ inputs.baseline-path }}
          GITLEAKS_LOG_LEVEL: ${{ inputs.log-level }}
          GITLEAKS_ENABLE_COMMENTS: false
          GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false

      - name: Count findings
        id: count
        if: always()
        shell: bash
        run: |
          if [ -f "gitleaks-results.sarif" ]; then
            FINDINGS=$(jq '.runs[0].results | length' gitleaks-results.sarif)
            echo "findings=$FINDINGS" >> "$GITHUB_OUTPUT"
            echo "Found $FINDINGS potential secrets"
          elif [ -f "gitleaks-results.json" ]; then
            FINDINGS=$(jq '. | length' gitleaks-results.json)
            echo "findings=$FINDINGS" >> "$GITHUB_OUTPUT"
            echo "Found $FINDINGS potential secrets"
          else
            echo "findings=0" >> "$GITHUB_OUTPUT"
          fi

      - name: Upload Gitleaks results to GitHub Security
        if: inputs.upload-sarif && inputs.format == 'sarif' && always()
        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
        with:
          sarif_file: 'gitleaks-results.sarif'
          category: 'secret-scan'

      - name: Upload scan results as artifact
        if: always()
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: gitleaks-results
          path: gitleaks-results.*
          retention-days: 30

      - name: Generate scan summary
        if: always()
        shell: bash
        run: |
          {
            echo "## 🔐 Gitleaks Secret Scan Results"
            echo ""
            echo "**Scan Path:** \`${{ inputs.scan-path }}\`"
            echo ""
          } >> "$GITHUB_STEP_SUMMARY"

          if [ -f "gitleaks-results.sarif" ]; then
            FINDINGS=$(jq '.runs[0].results | length' gitleaks-results.sarif)
            if [ "$FINDINGS" -eq 0 ]; then
              echo "✅ **No secrets detected**" >> "$GITHUB_STEP_SUMMARY"
            else
              {
                echo "🚨 **Found $FINDINGS potential secrets**"
                echo ""
                echo "Review the Security tab for detailed findings."
                echo ""
                echo "### ⚠️  Action Required"
                echo "1. Rotate any exposed credentials immediately"
                echo "2. Remove secrets from git history"
                echo "3. Use environment variables or secret management"
              } >> "$GITHUB_STEP_SUMMARY"
            fi
          elif [ -f "gitleaks-results.json" ]; then
            FINDINGS=$(jq '. | length' gitleaks-results.json)
            if [ "$FINDINGS" -eq 0 ]; then
              echo "✅ **No secrets detected**" >> "$GITHUB_STEP_SUMMARY"
            else
              echo "🚨 **Found $FINDINGS potential secrets**" >> "$GITHUB_STEP_SUMMARY"
            fi
          else
            echo "✅ Scan completed successfully" >> "$GITHUB_STEP_SUMMARY"
          fi