Skip to content

CI/CD security baseline: CodeQL config, SBOM submission, markdown/changelog gates #166

CI/CD security baseline: CodeQL config, SBOM submission, markdown/changelog gates

CI/CD security baseline: CodeQL config, SBOM submission, markdown/changelog gates #166

Workflow file for this run

name: Secrets Gate
on:
pull_request:
branches: ['main']
push:
branches: ['main']
workflow_dispatch:
permissions:
contents: read
jobs:
gitleaks:
name: Gitleaks Secret Scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
with:
fetch-depth: 0
persist-credentials: false
- name: Install gitleaks
env:
GITLEAKS_VERSION: 8.24.3
run: |
set -euo pipefail
curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" -o gitleaks.tar.gz
tar -xzf gitleaks.tar.gz gitleaks
chmod +x gitleaks
echo "${PWD}" >> "${GITHUB_PATH}"
- name: Determine git scan range
id: scan-range
shell: bash
run: |
set -euo pipefail
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
echo "log_opts=${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}" >> "${GITHUB_OUTPUT}"
elif [[ "${{ github.event.before }}" != "0000000000000000000000000000000000000000" ]]; then
echo "log_opts=${{ github.event.before }}..${{ github.sha }}" >> "${GITHUB_OUTPUT}"
else
echo "log_opts=${{ github.sha }}" >> "${GITHUB_OUTPUT}"
fi
- name: Scan commit range for secrets
run: |
set -euo pipefail
gitleaks git \
--redact \
--no-banner \
--exit-code 1 \
--log-opts="${{ steps.scan-range.outputs.log_opts }}" \
--report-format json \
--report-path gitleaks-report.json
- name: Upload gitleaks report
if: always()
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
with:
name: gitleaks-report
path: gitleaks-report.json
if-no-files-found: ignore
retention-days: 14