feat: use gitleaks for secret scanning should be faster

2025-12-11 14:49:25 -08:00
parent b6c74febc9
commit 893751b709
1 changed files with 33 additions and 2 deletions
@@ -31,13 +31,13 @@ jobs:
          sudo apt-get update
          sudo apt-get install trivy -y

-      # Combined scan for vulnerabilities, secrets, and IaC misconfigurations
+      # Combined scan for vulnerabilities and IaC misconfigurations (secrets handled by Gitleaks)
      - name: Run Trivy comprehensive security scan
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
-          scanners: 'vuln,secret,misconfig'
+          scanners: 'vuln,misconfig'
          format: 'table'
          output: 'trivy-results.txt'
          severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
@@ -62,6 +62,37 @@ jobs:
            exit 1
          fi

+      # Install Gitleaks for fast secret scanning
+      - name: Install Gitleaks
+        run: |
+          wget -O /tmp/gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_64/amd64/').tar.gz
+          tar -xzf /tmp/gitleaks.tar.gz -C /tmp
+          sudo mv /tmp/gitleaks /usr/local/bin/
+          sudo chmod +x /usr/local/bin/gitleaks
+          gitleaks version
+
+      # Secret scanning with Gitleaks
+      - name: Run Gitleaks secret scan
+        run: |
+          gitleaks detect --source . --report-path gitleaks-results.json --report-format json --no-git
+          gitleaks detect --source . --report-path gitleaks-results.txt --report-format txt
+
+      # Display Gitleaks results
+      - name: Display Gitleaks scan results
+        if: always()
+        run: |
+          if [ -f gitleaks-results.txt ]; then
+            echo "=== Gitleaks Secret Scan Results ==="
+            cat gitleaks-results.txt
+          else
+            echo "No secrets detected by Gitleaks"
+          fi
+          if [ -f gitleaks-results.json ] && [ -s gitleaks-results.json ]; then
+            echo "=== Gitleaks JSON Results ==="
+            cat gitleaks-results.json
+            exit 1
+          fi
+
      - name: Install Semgrep
        run: |
          sudo apt-get install pipx