diff --git a/.gitea/workflows/security.yml b/.gitea/workflows/security.yml index 6b2a56a..7a7f8f5 100644 --- a/.gitea/workflows/security.yml +++ b/.gitea/workflows/security.yml @@ -31,13 +31,13 @@ jobs: sudo apt-get update sudo apt-get install trivy -y - # Combined scan for vulnerabilities, secrets, and IaC misconfigurations + # Combined scan for vulnerabilities and IaC misconfigurations (secrets handled by Gitleaks) - name: Run Trivy comprehensive security scan uses: aquasecurity/trivy-action@master with: scan-type: 'fs' scan-ref: '.' - scanners: 'vuln,secret,misconfig' + scanners: 'vuln,misconfig' format: 'table' output: 'trivy-results.txt' severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' @@ -62,6 +62,37 @@ jobs: exit 1 fi + # Install Gitleaks for fast secret scanning + - name: Install Gitleaks + run: | + wget -O /tmp/gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_64/amd64/').tar.gz + tar -xzf /tmp/gitleaks.tar.gz -C /tmp + sudo mv /tmp/gitleaks /usr/local/bin/ + sudo chmod +x /usr/local/bin/gitleaks + gitleaks version + + # Secret scanning with Gitleaks + - name: Run Gitleaks secret scan + run: | + gitleaks detect --source . --report-path gitleaks-results.json --report-format json --no-git + gitleaks detect --source . --report-path gitleaks-results.txt --report-format txt + + # Display Gitleaks results + - name: Display Gitleaks scan results + if: always() + run: | + if [ -f gitleaks-results.txt ]; then + echo "=== Gitleaks Secret Scan Results ===" + cat gitleaks-results.txt + else + echo "No secrets detected by Gitleaks" + fi + if [ -f gitleaks-results.json ] && [ -s gitleaks-results.json ]; then + echo "=== Gitleaks JSON Results ===" + cat gitleaks-results.json + exit 1 + fi + - name: Install Semgrep run: | sudo apt-get install pipx