Skip to content

Commit 533df04

Browse files
author
Nathan Gillett
committed
Align security gates with intentproof-tools template
Use gitleaks-action, local allowlist script, and tools ref 552da9d for javascript custom queries where applicable. Signed-off-by: Nathan Gillett <nathan@intentproof.io>
1 parent f82149b commit 533df04

2 files changed

Lines changed: 27 additions & 24 deletions

File tree

.github/workflows/codeql.yml

Lines changed: 24 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,37 +1,42 @@
11
name: codeql
2+
23
on:
34
push:
45
branches: [main]
56
pull_request:
67
branches: [main]
78
schedule:
89
- cron: "0 6 * * 1"
10+
911
permissions:
1012
actions: read
1113
contents: read
1214
security-events: write
15+
1316
jobs:
1417
allowlist-expiry:
1518
name: "IntentProof Security: CodeQL Allowlist"
1619
runs-on: ubuntu-latest
1720
steps:
1821
- uses: actions/checkout@v4
19-
- run: bash ./scripts/check-codeql-allowlist.sh
22+
23+
- name: Validate allowlist expiry dates
24+
run: bash ./scripts/check-codeql-allowlist.sh
25+
2026
gitleaks:
2127
name: "IntentProof Security: Secret Scan"
2228
runs-on: ubuntu-latest
2329
steps:
2430
- uses: actions/checkout@v4
2531
with:
2632
fetch-depth: 0
27-
- name: Install gitleaks
28-
run: |
29-
curl -sSfL \
30-
"https://github.com/gitleaks/gitleaks/releases/download/v8.24.2/gitleaks_8.24.2_linux_x64.tar.gz" \
31-
| tar -xz
32-
sudo mv gitleaks /usr/local/bin/
33+
3334
- name: Run gitleaks
34-
run: gitleaks detect --source . --config .gitleaks.toml --verbose --redact
35+
uses: gitleaks/gitleaks-action@v2
36+
env:
37+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
38+
GITLEAKS_CONFIG: .gitleaks.toml
39+
3540
analyze:
3641
name: "IntentProof Security: CodeQL (${{ matrix.language }})"
3742
needs: allowlist-expiry
@@ -42,14 +47,21 @@ jobs:
4247
language: [python]
4348
steps:
4449
- uses: actions/checkout@v4
50+
4551
- uses: actions/setup-python@v5
4652
with:
47-
python-version: "3.12"
48-
- run: pip install -e ".[dev]"
49-
- uses: github/codeql-action/init@v3
53+
python-version: "3.11"
54+
55+
- name: Install package for CodeQL
56+
run: pip install -e ".[dev]"
57+
58+
- name: Initialize CodeQL
59+
uses: github/codeql-action/init@v3
5060
with:
5161
languages: ${{ matrix.language }}
5262
queries: security-and-quality
53-
- uses: github/codeql-action/analyze@v3
63+
64+
- name: Perform CodeQL Analysis
65+
uses: github/codeql-action/analyze@v3
5466
with:
5567
category: "/language:${{ matrix.language }}"

.gitleaks.toml

Lines changed: 3 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -10,20 +10,11 @@ useDefault = true
1010
description = "Global allowlist paths for false positives"
1111
paths = [
1212
'''\.git/''',
13-
'''coverage\.out''',
1413
'''\.coverage''',
15-
'''package-lock\.json''',
16-
'''go\.sum''',
17-
'''codeql-pack\.lock\.yml''',
18-
'''keys/intentproof-security\.asc''',
19-
'''keys/intentproof-security\.fingerprint\.json''',
20-
'''golden/''',
21-
'''fixtures/''',
14+
'''tests/fixtures/''',
2215
]
23-
# Example test vectors and documentation placeholders only.
24-
regexTarget = "line"
16+
17+
[allowlist.regexTarget]
2518
regexes = [
2619
'''EXAMPLE|PLACEHOLDER|REDACTED|xxxxxxxx''',
27-
'''Ed25519(?:Private|Public)Key''',
28-
'''_instance_private_key''',
2920
]

0 commit comments

Comments
 (0)