|
| 1 | +name: Gitleaks secrets scan |
| 2 | + |
| 3 | +on: |
| 4 | + pull_request: |
| 5 | + branches: |
| 6 | + - main |
| 7 | + |
| 8 | + |
| 9 | +permissions: |
| 10 | + issues: write |
| 11 | + pull-requests: write |
| 12 | + contents: read |
| 13 | + |
| 14 | +jobs: |
| 15 | + gitleaks: |
| 16 | + runs-on: ubuntu-latest |
| 17 | + |
| 18 | + steps: |
| 19 | + - name: Checkout code |
| 20 | + uses: actions/checkout@v4 |
| 21 | + with: |
| 22 | + fetch-depth: 0 # Required to get full commit history for diffing |
| 23 | + |
| 24 | + |
| 25 | + - name: Get base and head commit SHAs |
| 26 | + run: | |
| 27 | + echo "BASE_SHA=${{ github.event.pull_request.base.sha }}" >> $GITHUB_ENV |
| 28 | + echo "HEAD_SHA=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV |
| 29 | +
|
| 30 | + |
| 31 | + - name: Run Gitleaks on PR changes via Docker |
| 32 | + run: | |
| 33 | + docker run --rm -v $(pwd):/repo -w /repo zricethezav/gitleaks:latest detect \ |
| 34 | + --config="/repo/Rule/gitleaks.toml" \ |
| 35 | + --log-opts="--no-merges $BASE_SHA..$HEAD_SHA" \ |
| 36 | + --verbose \ |
| 37 | + --exit-code=0 \ |
| 38 | + --report-format=json \ |
| 39 | + --report-path="/repo/gitleaks-report.json" \ |
| 40 | + --redact |
| 41 | +
|
| 42 | + - name: Upload Gitleaks report |
| 43 | + uses: actions/upload-artifact@v4 |
| 44 | + with: |
| 45 | + name: gitleaks-report |
| 46 | + path: gitleaks-report.json |
| 47 | + |
| 48 | + - name: Format and comment findings on PR |
| 49 | + env: |
| 50 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 51 | + run: | |
| 52 | + if [ ! -f gitleaks-report.json ]; then |
| 53 | + echo "Report file not found!" |
| 54 | + exit 1 |
| 55 | + fi |
| 56 | +
|
| 57 | + FINDINGS_JSON=$(cat gitleaks-report.json) |
| 58 | + COUNT=$(echo "$FINDINGS_JSON" | jq 'length') |
| 59 | + SHA="${{ github.event.pull_request.head.sha }}" |
| 60 | + REPO="${{ github.repository }}" |
| 61 | + PR_NUMBER="${{ github.event.pull_request.number }}" |
| 62 | + MAX=10 |
| 63 | +
|
| 64 | + if [ "$COUNT" -gt 0 ]; then |
| 65 | + COMMENT="**π Gitleaks Findings: $COUNT issue(s) detected**\n\n" |
| 66 | + i=0 |
| 67 | + while [ "$i" -lt "$COUNT" ] && [ "$i" -lt "$MAX" ]; do |
| 68 | + ITEM=$(echo "$FINDINGS_JSON" | jq ".[$i]") |
| 69 | + RULE=$(echo "$ITEM" | jq -r '.RuleID') |
| 70 | + DESC=$(echo "$ITEM" | jq -r '.Description') |
| 71 | + FILE=$(echo "$ITEM" | jq -r '.File') |
| 72 | + LINE=$(echo "$ITEM" | jq -r '.Line') |
| 73 | + LINK="https://github.com/$REPO/blob/$SHA/$FILE#L$LINE" |
| 74 | + SECRET_MASKED="**********" |
| 75 | + COMMENT+="πΈ **Rule**: \`$RULE\`\n" |
| 76 | + COMMENT+="π **File**: \`$FILE:$LINE\`\n" |
| 77 | + COMMENT+="π **Description**: $DESC\n" |
| 78 | + COMMENT+="π **Secret**: \`$SECRET_MASKED\`\n" |
| 79 | + COMMENT+="π **Path**: [$FILE:$LINE]($LINK)\n\n" |
| 80 | + i=$((i + 1)) |
| 81 | + done |
| 82 | +
|
| 83 | + if [ "$COUNT" -gt "$MAX" ]; then |
| 84 | + COMMENT+="...and more. Only showing first $MAX findings.\n" |
| 85 | + fi |
| 86 | + else |
| 87 | + COMMENT="β
**Gitleaks Findings:** No secrets detected. Safe to proceed!" |
| 88 | + fi |
| 89 | +
|
| 90 | + # Escape newlines for GitHub API |
| 91 | + COMMENT=$(echo "$COMMENT" | sed ':a;N;$!ba;s/\n/\\n/g') |
| 92 | +
|
| 93 | + curl -X POST \ |
| 94 | + -H "Authorization: token $GITHUB_TOKEN" \ |
| 95 | + -H "Accept: application/vnd.github.v3+json" \ |
| 96 | + -d "{\"body\":\"$COMMENT\"}" \ |
| 97 | + "https://api.github.com/repos/${REPO}/issues/${PR_NUMBER}/comments" |
0 commit comments