Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 33 additions & 11 deletions .github/workflows/secret-scanner-reusable.yml
Original file line number Diff line number Diff line change
Expand Up @@ -85,20 +85,42 @@ jobs:
# `contents: read`, which they get from the workflow-level block.
permissions:
contents: read
# gitleaks-action's `ScanPullRequest` posts a summary comment via
# the GitHub Issues/PR API. We disabled it via env vars below.
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0

- name: Gitleaks Secret Scan
continue-on-error: true # gitleaks-action tool-cache PATH injection unreliable on self-hosted runners
uses: gitleaks/gitleaks-action@e0c47f4f8be36e29cdc102c57e68cb5cbf0e8d1e # v3.0.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_ENABLE_COMMENTS: false
GITLEAKS_ENABLE_SUMMARY: false
# Gitleaks runs as a pinned, checksum-verified binary rather than via
# gitleaks/gitleaks-action. The action injects gitleaks into the runner
# tool-cache and prepends it to PATH, which is unreliable on self-hosted
# runners — that unreliability was the reason this step previously carried
# `continue-on-error: true`, i.e. the estate's primary secret scanner
# could not fail a PR. A pinned direct install is deterministic on every
# runner, so the scan gates for real.
- name: Install gitleaks (pinned + checksum-verified)
run: |
set -euo pipefail
GITLEAKS_VERSION=8.18.4
SHA256=ba6dbb656933921c775ee5a2d1c13a91046e7952e9d919f9bac4cec61d628e7d
cd "$RUNNER_TEMP"
curl -fsSL -o gitleaks.tar.gz \
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
echo "${SHA256} gitleaks.tar.gz" | sha256sum -c -
tar -xzf gitleaks.tar.gz gitleaks
chmod +x gitleaks
./gitleaks version

# Scans the checked-out working tree (--no-git): deterministic and fast.
# A finding exits non-zero and fails the check. Full-history scanning is
# available by removing --no-git and adding `fetch-depth: 0` to the
# checkout above, at the cost of a slower scan on every PR.
- name: Gitleaks secret scan (gating)
run: |
set -euo pipefail
"$RUNNER_TEMP/gitleaks" detect \
--source . \
--no-git \
--redact \
--no-banner \
--exit-code 1

# Rust-specific: hardcoded crypto values. Self-skips when no Cargo.toml
# is present, so this job is safe to run on non-Rust repos.
Expand Down
Loading