pidpal/.github/workflows/secret-scan.yml at main · MSNYC/pidpal · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
name: Secret Scan

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  workflow_dispatch:

jobs:
  secrets:
    runs-on: ubuntu-latest
    env:
      GITLEAKS_VERSION: "8.20.1"
      TRUFFLEHOG_VERSION: "3.82.0"
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

      - name: Install secret scanners
        run: |
          set -euo pipefail
          gitleaks_asset="gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
          trufflehog_asset="trufflehog_${TRUFFLEHOG_VERSION}_linux_amd64.tar.gz"

          curl -sSL --proto '=https' --proto-redir '=https' --tlsv1.2 \
            "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/${gitleaks_asset}" \
            -o "/tmp/${gitleaks_asset}"
          curl -sSL --proto '=https' --proto-redir '=https' --tlsv1.2 \
            "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRUFFLEHOG_VERSION}/${trufflehog_asset}" \
            -o "/tmp/${trufflehog_asset}"

          tar -xzf "/tmp/${gitleaks_asset}" -C /usr/local/bin
          tar -xzf "/tmp/${trufflehog_asset}" -C /usr/local/bin

          chmod +x /usr/local/bin/gitleaks /usr/local/bin/trufflehog

      - name: Run gitleaks
        run: gitleaks detect --source . --redact --exit-code 1

      - name: Run trufflehog
        run: trufflehog git file://$GITHUB_WORKSPACE --no-update --fail --exclude-globs=.github/workflows/sonar.yml