From 3f086dcedbefbe7d76f257f89540009a50c3b639 Mon Sep 17 00:00:00 2001 From: Sylwester Piskozub Date: Fri, 6 Feb 2026 00:02:31 +0100 Subject: [PATCH 1/3] add daily job Signed-off-by: Sylwester Piskozub --- .github/workflows/daily-secrets-scan.yml | 75 ++++++++++++++++++++++++ .github/workflows/utils/.gitleaks.toml | 11 ++++ .gitleaksignore | 27 +++++++++ 3 files changed, 113 insertions(+) create mode 100644 .github/workflows/daily-secrets-scan.yml create mode 100644 .github/workflows/utils/.gitleaks.toml create mode 100644 .gitleaksignore diff --git a/.github/workflows/daily-secrets-scan.yml b/.github/workflows/daily-secrets-scan.yml new file mode 100644 index 000000000..ed62eb4d4 --- /dev/null +++ b/.github/workflows/daily-secrets-scan.yml @@ -0,0 +1,75 @@ +name: Daily Secrets Scan + +on: + schedule: + # Run daily at 9:00 AM UTC + - cron: "0 9 * * *" + workflow_dispatch: # Allow manual triggering + +jobs: + daily-secrets-scan: + name: Daily Secrets Scan + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + + env: + CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }} + CHAINLOOP_WORKFLOW_NAME: daily-secrets-detection + CHAINLOOP_PROJECT_NAME: chainloop + + steps: + - uses: actions/checkout@v4 + + - name: Install Chainloop + run: | + curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s -- --ee + + - name: Initialize Attestation + run: | + chainloop attestation init --workflow ${CHAINLOOP_WORKFLOW_NAME} --project ${CHAINLOOP_PROJECT_NAME} + + # Note: We manually install the gitleaks binary instead of using gitleaks/gitleaks-action + # because the GitHub Action requires a commercial license for organization accounts + # (see https://github.com/gitleaks/gitleaks-action/blob/master/LICENSE.txt). + # The gitleaks CLI itself is MIT licensed and free to use. + # We extract to /tmp to avoid overwriting repo files (README.md, LICENSE) from the tarball. + - name: Install Gitleaks + run: | + wget -q https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz + mkdir -p /tmp/gitleaks-install + tar -xzf gitleaks_8.30.0_linux_x64.tar.gz -C /tmp/gitleaks-install + sudo install /tmp/gitleaks-install/gitleaks /usr/local/bin/ + rm -rf /tmp/gitleaks-install gitleaks_8.30.0_linux_x64.tar.gz + gitleaks version + + - name: Run Gitleaks Scan + run: | + gitleaks dir . \ + --report-format json \ + --report-path gitleaks-report.json \ + --config .github/workflows/utils/.gitleaks.toml \ + || true + + - name: Add Gitleaks Report to Attestation + run: | + chainloop attestation add \ + --name gitleaks-scan \ + --value gitleaks-report.json \ + --kind GITLEAKS_JSON + + - name: Finish and Push Attestation + if: ${{ success() }} + run: | + chainloop attestation push + + - name: Mark attestation as failed + if: ${{ failure() }} + run: | + chainloop attestation reset + + - name: Mark attestation as cancelled + if: ${{ cancelled() }} + run: | + chainloop attestation reset --trigger cancellation diff --git a/.github/workflows/utils/.gitleaks.toml b/.github/workflows/utils/.gitleaks.toml new file mode 100644 index 000000000..e5b6fc6f8 --- /dev/null +++ b/.github/workflows/utils/.gitleaks.toml @@ -0,0 +1,11 @@ +title = "Gitleaks config" + +[extend] +useDefault = true + +# Ignore test files and test directories +[[allowlists]] +paths = [ + '''.*_test\..*''', # Test files + '''(^|/)testdata/.*''', # Testdata directories +] diff --git a/.gitleaksignore b/.gitleaksignore new file mode 100644 index 000000000..0cd2e4b18 --- /dev/null +++ b/.gitleaksignore @@ -0,0 +1,27 @@ +# .gitleaksignore +# +# This file contains fingerprints for verified false positives in gitleaks scans. +# Format: file_path:rule_id:line_number + +# PostHog public API key +app/cli/cmd/root.go:generic-api-key:413 + +# Buf dependency version +buf.yaml:generic-api-key:135 + +# Development keys +devel/devkeys/cas.pem:private-key:1 +devel/devkeys/ca.pem:private-key:1 + +# Expired JWT token example in development documentation +devel/README.md:jwt:162 + +# Helm chart deployment documentation, example private keys, content redacted or truncated +deployment/chainloop/README.md:private-key:231 +deployment/chainloop/charts/vault/README.md:private-key:96 + +# Helm chart templates, development keys that cannot be generated +deployment/chainloop/templates/_helpers.tpl:private-key:43 + +# Helm values.yaml, field documentation example +deployment/chainloop/values.yaml:private-key:114 From 41113c873af79214e315c72f95e92bb5bf48d036 Mon Sep 17 00:00:00 2001 From: Sylwester Piskozub Date: Tue, 10 Feb 2026 09:37:54 +0100 Subject: [PATCH 2/3] update workflow Signed-off-by: Sylwester Piskozub --- .github/workflows/daily-secrets-scan.yml | 31 ++++++++++++++---------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/.github/workflows/daily-secrets-scan.yml b/.github/workflows/daily-secrets-scan.yml index ed62eb4d4..32a480e93 100644 --- a/.github/workflows/daily-secrets-scan.yml +++ b/.github/workflows/daily-secrets-scan.yml @@ -1,23 +1,33 @@ -name: Daily Secrets Scan +name: Daily Secrets Detection on: schedule: # Run daily at 9:00 AM UTC - - cron: "0 9 * * *" + - cron: '0 9 * * *' workflow_dispatch: # Allow manual triggering +permissions: + contents: read + id-token: write # Required for SLSA attestation + jobs: + onboard_workflow: + name: Onboard Chainloop Workflow + uses: chainloop-dev/labs/.github/workflows/chainloop_onboard.yml@6bbd1c2b3022e48ae60afa0c2b90f3b6d31bcf11 + with: + project: "chainloop" + workflow_name: "daily-secrets-detection" + secrets: + api_token: ${{ secrets.CHAINLOOP_TOKEN }} + daily-secrets-scan: name: Daily Secrets Scan + needs: onboard_workflow runs-on: ubuntu-latest - permissions: - contents: read - id-token: write - env: CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }} - CHAINLOOP_WORKFLOW_NAME: daily-secrets-detection - CHAINLOOP_PROJECT_NAME: chainloop + CHAINLOOP_WORKFLOW_NAME: ${{ needs.onboard_workflow.outputs.workflow_name }} + CHAINLOOP_PROJECT_NAME: ${{ needs.onboard_workflow.outputs.project_name }} steps: - uses: actions/checkout@v4 @@ -30,11 +40,6 @@ jobs: run: | chainloop attestation init --workflow ${CHAINLOOP_WORKFLOW_NAME} --project ${CHAINLOOP_PROJECT_NAME} - # Note: We manually install the gitleaks binary instead of using gitleaks/gitleaks-action - # because the GitHub Action requires a commercial license for organization accounts - # (see https://github.com/gitleaks/gitleaks-action/blob/master/LICENSE.txt). - # The gitleaks CLI itself is MIT licensed and free to use. - # We extract to /tmp to avoid overwriting repo files (README.md, LICENSE) from the tarball. - name: Install Gitleaks run: | wget -q https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz From 4cc4a195156d866f11018384877d0dceacb4cf71 Mon Sep 17 00:00:00 2001 From: Sylwester Piskozub Date: Tue, 10 Feb 2026 09:41:08 +0100 Subject: [PATCH 3/3] rename file Signed-off-by: Sylwester Piskozub --- .../workflows/{daily-secrets-scan.yml => secrets-scan-daily.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{daily-secrets-scan.yml => secrets-scan-daily.yml} (100%) diff --git a/.github/workflows/daily-secrets-scan.yml b/.github/workflows/secrets-scan-daily.yml similarity index 100% rename from .github/workflows/daily-secrets-scan.yml rename to .github/workflows/secrets-scan-daily.yml