Merge pull request #73 from UoMResearchIT/add-secret-scanning

dkfellows · web-flow · commit b4bf721f686d · 2025-09-03T11:53:42.000+01:00
Add a reusable workflow for secret scanning
diff --git a/.github/workflows/scan-for-secrets.yml b/.github/workflows/scan-for-secrets.yml
@@ -0,0 +1,64 @@
+# Copyright (c) 2025 The University of Manchester
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This reusable workflow is used to scan for secrets; API keys for various
+# services that shouldn't be made public but instead ought to be handled
+# via the Github Secrets mechanisms.
+#
+# It needs no elevated permissions, and no access to real secrets.
+#
+# It uses the file secrets.baseline.json in the same directory as this
+# workflow to provide a baseline configuration when the user does not
+# specify their own.
+
+name: Scan for Secrets
+on:
+  workflow_call:
+    inputs:
+      config-file:
+        type: string
+        required: false
+        default: .uomrit-actions/.github/workflows/secrets.baseline.json
+        description: >
+          The name of secret scanner configuration.
+          If not supplied, a default is used.
+      python-version:
+        type: string
+        required: false
+        default: "3.12"
+        description: >
+          The version of Python to use to run the secret scanner.
+
+jobs:
+  check:
+    name: Checking for Service API Keys
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Checkout default configuration file
+        uses: actions/checkout@v4
+        with:
+          path: .uomrit-actions
+          repository: UoMResearchIT/actions
+          ref: add-secret-scanning # FIXME
+      - name: Scan
+        uses: secret-scanner/action@0.2.1
+        with:
+          # Version locked because of bugs
+          detect_secrets_version: "1.3.0"
+          python_version: ${{ inputs.python-version }}
+          baseline_file: ${{ inputs.config-file }}
+          detect_secret_additional_args: --exclude-files '.*\.uomrit-actions/.*'
+        timeout-minutes: 10
diff --git a/.github/workflows/secrets.baseline.json b/.github/workflows/secrets.baseline.json
@@ -0,0 +1,113 @@
+{
+  "version": "1.3.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.gibberish.should_exclude_secret",
+      "limit": 3.7
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    }
+  ],
+  "results": {},
+  "generated_at": "2025-07-30T13:06:35Z"
+}
diff --git a/README.md b/README.md
@@ -17,8 +17,6 @@ These are intended for use in many types of project, wherever relevant.
 
 * [`instantiate-file`](instantiate-file) creates a file with a value provided by your workflow.
 
-* ['add_prs_to_project (reusable workflow)](.github/workflows/add_prs_to_project.yml) is a reusable workflow that you can use in your repository to add any PRs assigned to a user to a Project and set the Status in the project to a value of your choosing.
-
 ## Linux runners only
 
 * [`apt-get-install`](apt-get-install) installs packages into Ubuntu runners, allowing for subtleties of installation that have been found to come up with some packages "in the wild".
@@ -29,6 +27,12 @@ These are intended for use in many types of project, wherever relevant.
 
 * [`todo`](todo) finds `FIXME` and `TODO` comments in code.
 
+## Reusable Workflows
+
+* [`add_prs_to_project` (reusable workflow)](.github/workflows/add_prs_to_project.yml) is a reusable workflow that you can use in your repository to add any PRs assigned to a user to a Project and set the Status in the project to a value of your choosing.
+
+* [`scan-for-secrets` (reusable workflow)](.github/workflows/scan-for-secrets.yml) is a reusable workflow that you can use in your repository to scan for API keys (e.g., for AWS) that your code accidentally exposes.
+
 # Language-Specific Tools
 
 These often have platform requirements for their runners. You can always have several jobs in a workflow to allow the use of Linux runners in an otherwise Windows-specific build scheme.
