From 94ee67b552f08ee08916d3d6360fabe125a7e155 Mon Sep 17 00:00:00 2001 From: DK09876 Date: Tue, 10 Jun 2025 08:45:13 -0700 Subject: [PATCH 1/9] Try CLI mode --- .github/workflows/secret-scan.yml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml index 9743ae5..63867df 100644 --- a/.github/workflows/secret-scan.yml +++ b/.github/workflows/secret-scan.yml @@ -1,4 +1,4 @@ -name: TruffleHog Secret Scan +name: TruffleHog Full Scan on: push: @@ -8,15 +8,18 @@ on: jobs: trufflehog: + name: Scan repo for secrets runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - - name: Run TruffleHog on PR diff - uses: trufflesecurity/trufflehog@v3.76.0 - with: - path: . - base: ${{ github.event.pull_request.base.sha || github.event.before }} - head: ${{ github.sha }} \ No newline at end of file + - name: Install TruffleHog + run: | + curl -sSL https://github.com/trufflesecurity/trufflehog/releases/latest/download/trufflehog-linux-amd64 -o trufflehog + chmod +x trufflehog + sudo mv trufflehog /usr/local/bin/ + + - name: Run TruffleHog scan + run: trufflehog filesystem --directory . --only-verified \ No newline at end of file From 7ef7366f362d0fdce6d321c658e9f95f02fc3e47 Mon Sep 17 00:00:00 2001 From: DK09876 Date: Tue, 10 Jun 2025 08:46:41 -0700 Subject: [PATCH 2/9] Test specific version --- .github/workflows/secret-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml index 63867df..bb59df2 100644 --- a/.github/workflows/secret-scan.yml +++ b/.github/workflows/secret-scan.yml @@ -17,7 +17,7 @@ jobs: - name: Install TruffleHog run: | - curl -sSL https://github.com/trufflesecurity/trufflehog/releases/latest/download/trufflehog-linux-amd64 -o trufflehog + curl -sSL https://github.com/trufflesecurity/trufflehog/releases/download/v3.89.1/trufflehog-linux-amd64 -o trufflehog chmod +x trufflehog sudo mv trufflehog /usr/local/bin/ From 9a6e5f731205f653f895186c0823e7f925c19c41 Mon Sep 17 00:00:00 2001 From: DK09876 Date: Tue, 10 Jun 2025 08:49:38 -0700 Subject: [PATCH 3/9] Change to gitLeaks --- .github/workflows/secret-scan.yml | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml index bb59df2..f12ac6d 100644 --- a/.github/workflows/secret-scan.yml +++ b/.github/workflows/secret-scan.yml @@ -1,25 +1,21 @@ -name: TruffleHog Full Scan +name: Gitleaks Secrets Scan on: - push: - branches: [ main, '**' ] pull_request: - branches: [ main, '**' ] + push: + branches: + - main jobs: - trufflehog: - name: Scan repo for secrets + gitleaks: + name: Scan for Secrets with Gitleaks runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - - name: Install TruffleHog - run: | - curl -sSL https://github.com/trufflesecurity/trufflehog/releases/download/v3.89.1/trufflehog-linux-amd64 -o trufflehog - chmod +x trufflehog - sudo mv trufflehog /usr/local/bin/ - - - name: Run TruffleHog scan - run: trufflehog filesystem --directory . --only-verified \ No newline at end of file + - name: Run Gitleaks + uses: gitleaks/gitleaks-action@v2 + with: + fail: true # Fail the build if secrets are found \ No newline at end of file From eef9e35c47b95f2024383738859791d3d33d57bd Mon Sep 17 00:00:00 2001 From: DK09876 Date: Tue, 10 Jun 2025 08:50:55 -0700 Subject: [PATCH 4/9] Add license --- .github/workflows/secret-scan.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml index f12ac6d..ba59a6c 100644 --- a/.github/workflows/secret-scan.yml +++ b/.github/workflows/secret-scan.yml @@ -5,17 +5,22 @@ on: push: branches: - main + - develop + - release/* jobs: gitleaks: - name: Scan for Secrets with Gitleaks + name: Run Gitleaks Secrets Scan runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - - name: Run Gitleaks + - name: Run Gitleaks with License Key uses: gitleaks/gitleaks-action@v2 with: - fail: true # Fail the build if secrets are found \ No newline at end of file + fail: true + config-path: .github/gitleaks.toml + env: + GITLEAKS_LICENSE_KEY: E86E8A-22C271-B767AA-6055AC-F09CA3-V3 \ No newline at end of file From c183c12b6fbb9a720c65059d723c387cd02518d5 Mon Sep 17 00:00:00 2001 From: DK09876 Date: Tue, 10 Jun 2025 08:52:10 -0700 Subject: [PATCH 5/9] Gitleaks config --- .github/workflows/secret-scan.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml index ba59a6c..2e3e523 100644 --- a/.github/workflows/secret-scan.yml +++ b/.github/workflows/secret-scan.yml @@ -17,10 +17,13 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - - name: Run Gitleaks with License Key + - name: Run Gitleaks uses: gitleaks/gitleaks-action@v2 - with: - fail: true - config-path: .github/gitleaks.toml env: - GITLEAKS_LICENSE_KEY: E86E8A-22C271-B767AA-6055AC-F09CA3-V3 \ No newline at end of file + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} + with: + args: > + detect + --source . + --exit-code 1 + --report-path gitleaks-report.json \ No newline at end of file From bbec6125ee80d8b4c9bda31cd3440b9bae7e9648 Mon Sep 17 00:00:00 2001 From: DK09876 Date: Tue, 10 Jun 2025 09:14:22 -0700 Subject: [PATCH 6/9] Try v2 gitLeaks --- .github/workflows/secret-scan.yml | 35 +++++++++---------------------- 1 file changed, 10 insertions(+), 25 deletions(-) diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml index 2e3e523..558a154 100644 --- a/.github/workflows/secret-scan.yml +++ b/.github/workflows/secret-scan.yml @@ -1,29 +1,14 @@ -name: Gitleaks Secrets Scan - -on: - pull_request: - push: - branches: - - main - - develop - - release/* - +name: gitleaks +on: [pull_request, push, workflow_dispatch] jobs: - gitleaks: - name: Run Gitleaks Secrets Scan + scan: + name: gitleaks runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Run Gitleaks - uses: gitleaks/gitleaks-action@v2 - env: - GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} + - uses: actions/checkout@v3 with: - args: > - detect - --source . - --exit-code 1 - --report-path gitleaks-report.json \ No newline at end of file + fetch-depth: 0 + - uses: zricethezav/gitleaks-action@v2.0.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} \ No newline at end of file From 12d8b3d3d00608437abd14f44391d6117bbb4394 Mon Sep 17 00:00:00 2001 From: DK09876 Date: Tue, 10 Jun 2025 09:18:47 -0700 Subject: [PATCH 7/9] Change workflow --- .github/workflows/secret-scan.yml | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml index 558a154..ef4fc30 100644 --- a/.github/workflows/secret-scan.yml +++ b/.github/workflows/secret-scan.yml @@ -1,14 +1,23 @@ -name: gitleaks -on: [pull_request, push, workflow_dispatch] +name: GitLeaks Security Scan + +on: + push: + branches: [ '*' ] + pull_request: + branches: [ '*' ] + jobs: - scan: - name: gitleaks + gitleaks: + name: Secret Detection runs-on: ubuntu-latest + steps: - - uses: actions/checkout@v3 + - name: Checkout code + uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: zricethezav/gitleaks-action@v2.0.0 + + - name: Run GitLeaks + uses: gitleaks/gitleaks-action@v2 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} \ No newline at end of file + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 5f771bf1804ae15458ac66aaf5f2873c9bf2013a Mon Sep 17 00:00:00 2001 From: DK09876 Date: Tue, 10 Jun 2025 09:19:32 -0700 Subject: [PATCH 8/9] Add license --- .github/workflows/secret-scan.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml index ef4fc30..2d0704c 100644 --- a/.github/workflows/secret-scan.yml +++ b/.github/workflows/secret-scan.yml @@ -20,4 +20,5 @@ jobs: - name: Run GitLeaks uses: gitleaks/gitleaks-action@v2 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} \ No newline at end of file From a23f81bd9e25ef584fcce6066a1c620cbcf341c4 Mon Sep 17 00:00:00 2001 From: DK09876 Date: Tue, 10 Jun 2025 09:30:58 -0700 Subject: [PATCH 9/9] Add gitleaksignore file --- .gitleaksignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitleaksignore diff --git a/.gitleaksignore b/.gitleaksignore new file mode 100644 index 0000000..3109ff3 --- /dev/null +++ b/.gitleaksignore @@ -0,0 +1 @@ +eef9e35c47b95f2024383738859791d3d33d57bd:.github/workflows/secret-scan.yml:generic-api-key:26