naomi/actions-sandbox
1
0
Fork 0
generated from nhcarrigan/template
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: use gitleaks for secret scanning should be faster
Security Scan / Security Audit (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Naomi Carrigan
2025-12-11 14:49:25 -08:00
parent b6c74febc9
commit 893751b709
1 changed files with 33 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/security.yml
+33 -2
View File
@@ -31,13 +31,13 @@ jobs:
sudo apt-get update sudo apt-get update
sudo apt-get install trivy -y sudo apt-get install trivy -y
# Combined scan for vulnerabilities, secrets, and IaC misconfigurations # Combined scan for vulnerabilities and IaC misconfigurations (secrets handled by Gitleaks)
- name: Run Trivy comprehensive security scan - name: Run Trivy comprehensive security scan
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@master
with: with:
scan-type: 'fs' scan-type: 'fs'
scan-ref: '.' scan-ref: '.'
scanners: 'vuln,secret,misconfig' scanners: 'vuln,misconfig'
format: 'table' format: 'table'
output: 'trivy-results.txt' output: 'trivy-results.txt'
severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
@@ -62,6 +62,37 @@ jobs:
exit 1 exit 1
fi fi
# Install Gitleaks for fast secret scanning
- name: Install Gitleaks
run: |
wget -O /tmp/gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_64/amd64/').tar.gz
tar -xzf /tmp/gitleaks.tar.gz -C /tmp
sudo mv /tmp/gitleaks /usr/local/bin/
sudo chmod +x /usr/local/bin/gitleaks
gitleaks version
# Secret scanning with Gitleaks
- name: Run Gitleaks secret scan
run: |
gitleaks detect --source . --report-path gitleaks-results.json --report-format json --no-git
gitleaks detect --source . --report-path gitleaks-results.txt --report-format txt
# Display Gitleaks results
- name: Display Gitleaks scan results
if: always()
run: |
if [ -f gitleaks-results.txt ]; then
echo "=== Gitleaks Secret Scan Results ==="
cat gitleaks-results.txt
else
echo "No secrets detected by Gitleaks"
fi
if [ -f gitleaks-results.json ] && [ -s gitleaks-results.json ]; then
echo "=== Gitleaks JSON Results ==="
cat gitleaks-results.json
exit 1
fi
- name: Install Semgrep - name: Install Semgrep
run: | run: |
sudo apt-get install pipx sudo apt-get install pipx