diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml new file mode 100644 index 0000000..bc0b236 --- /dev/null +++ b/.github/actions/detect-secrets/action.yaml @@ -0,0 +1,146 @@ +name: Detect Secrets Action +description: | + Scan the repository for secrets using the following tools: + 1. Gitleaks: https://github.com/gitleaks/gitleaks + 2. TruffleHog: https://github.com/trufflesecurity/trufflehog + 3. detect-secrets: https://github.com/Yelp/detect-secrets + 4. git-secrets: https://github.com/awslabs/git-secrets + 5. Talisman: https://github.com/thoughtworks/talisman + 6. credential-digger: https://github.com/SAP/credential-digger + 7. kingfisher: https://github.com/mongodb/kingfisher + +inputs: + github-token: + description: GitHub token for authentication + required: true + default: ${{ github.token }} + gitleaks-license: + description: Gitleaks license key for enterprise features + required: true + default: "" + +runs: + using: "composite" + steps: + - uses: actions/checkout@v6.0.1 + with: + fetch-depth: 0 + + - name: Prepare report directory + shell: bash + run: mkdir -p secrets_report + + - name: Setup Python + uses: actions/setup-python@v6.1.0 + with: + python-version: "3.12.12" + + - name: Install jq + shell: bash + run: sudo apt-get update && sudo apt-get install -y jq + + - name: Install detect-secrets + shell: bash + run: pip install detect-secrets + + - name: Run detect-secrets + continue-on-error: true + shell: bash + run: | + detect-secrets scan --force-use-all-plugins > secrets_report/detect_secrets.json + + - name: Install git-secrets + shell: bash + run: | + git clone https://github.com/awslabs/git-secrets.git + cd git-secrets + sudo make install + cd .. + + - name: Run git-secrets + continue-on-error: true + shell: bash + run: git secrets --scan -r . | tee secrets_report/git_secrets.txt + + - name: Run Gitleaks + uses: gitleaks/gitleaks-action@v2.3.9 + continue-on-error: true + env: + GITHUB_TOKEN: ${{ inputs.github-token }} + GITLEAKS_LICENSE: ${{ inputs.gitleaks-license }} + + - name: Install Talisman + shell: bash + run: bash -c "$(curl --silent https://raw.githubusercontent.com/thoughtworks/talisman/main/install.sh)" + + - name: Run Talisman + continue-on-error: true + shell: bash + run: | + talisman --scan || true + if [ -f talisman_report/talisman_reports/data/report.json ]; then + cp talisman_report/talisman_reports/data/report.json secrets_report/talisman.json + num_failures=$(jq '.failures // [] | length' secrets_report/talisman.json) + if [ "$num_failures" -gt 0 ]; then + echo "Secrets found by Talisman: $num_failures" + fi + fi + + - name: Install dependencies for credential-digger + shell: bash + run: sudo apt install -y build-essential python3-dev + + - name: Install credential-digger + shell: bash + run: pip install credentialdigger + + - name: Download rules for credential-digger + shell: bash + run: curl -O https://raw.githubusercontent.com/SAP/credential-digger/main/ui/backend/rules.yml + + - name: Add rules for credential-digger + shell: bash + run: credentialdigger add_rules --sqlite /tmp/cred.db ./rules.yml + + - name: Run credential-digger + continue-on-error: true + shell: bash + run: | + credentialdigger scan . --sqlite /tmp/cred.db --models PathModel PasswordModel | tee secrets_report/credential_digger.txt + cp /tmp/cred.db secrets_report/credential_digger.db || true + [ -f rules.yml ] && cp rules.yml secrets_report/ || true + + - name: Install kingfisher + shell: bash + run: curl --silent --location https://raw.githubusercontent.com/mongodb/kingfisher/main/scripts/install-kingfisher.sh | bash + + - name: Run kingfisher + continue-on-error: true + shell: bash + run: kingfisher scan . --exclude secrets_report/* | tee secrets_report/kingfisher.txt + + - name: Install TruffleHog v3 binary + continue-on-error: true + shell: bash + run: | + set -euo pipefail + TRH_VER=3.92.4 + TMPDIR="$(mktemp -d)" + curl -sSL -o "$TMPDIR/trufflehog.tar.gz" "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRH_VER}/trufflehog_${TRH_VER}_linux_amd64.tar.gz" + tar -xzf "$TMPDIR/trufflehog.tar.gz" -C "$TMPDIR" + install "$TMPDIR/trufflehog" "$RUNNER_TEMP/trufflehog" + chmod +x "$RUNNER_TEMP/trufflehog" + + - name: Run TruffleHog (filesystem JSON) + continue-on-error: true + shell: bash + env: + TRUFFLEHOG_NO_UPDATE: "1" + run: | + "$RUNNER_TEMP/trufflehog" filesystem . --json --only-verified 2>&1 | tee secrets_report/trufflehog.json + + - name: Upload combined results artifact + uses: actions/upload-artifact@v6.0.0 + with: + name: secrets-scan-results + path: secrets_report diff --git a/.github/workflows/detect-secrets.yaml b/.github/workflows/detect-secrets.yaml new file mode 100644 index 0000000..f302e09 --- /dev/null +++ b/.github/workflows/detect-secrets.yaml @@ -0,0 +1,23 @@ +name: Secrets Scan Workflow +on: + push: + branches: + - main + pull_request: + branches: + - main + +permissions: + contents: read + id-token: write + pull-requests: write + +jobs: + scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6.0.1 + - uses: ./.github/actions/detect-secrets + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + gitleaks-license: ${{ secrets.GITLEAKS_LICENSE }} \ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b694934 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.venv \ No newline at end of file