Skip to content

Introducing trusted publishing #11

Introducing trusted publishing

Introducing trusted publishing #11

# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to exclude files from analyses. (See "Scan"
# configuration block below.)
#
# For more information, see:
# https://nasa-ammos.github.io/slim/docs/guides/software-lifecycle/security/secrets-detection
#
# ******** NOTE ********
# Detect Secrets will compare known values from the ".secrets.baseline" file
# located in the root of the repository. Should any false detections occur,
# this file should be committed locally with an exception added to .gitignore
# to prevent inadvertent modification or overwrite.
#
name: "Secret Detection"
on:
push:
branches: [main, develop]
pull_request:
# The branches below must be a subset of the branches above
branches: [develop]
jobs:
secret-detection:
name: Secret-Detection
runs-on: ubuntu-latest
permissions:
actions: write
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Upgrade tooling
run: |
python3 -m pip install --upgrade pip
pip install --upgrade git+https://github.com/NASA-AMMOS/slim-detect-secrets.git@exp
pip install --upgrade jq
- name: Create baseline config
run: |
if [ ! -f .secrets.baseline ] ;
then
# This generated baseline file will only be temporarily available on the GitHub side and will not appear in the user's local files.
# Scanning an empty folder to generate an initial .secrets.baseline without secrets in the results.
echo "⚠️ No existing .secrets.baseline file detected. Creating a new blank baseline file."
mkdir empty-dir
detect-secrets scan empty-dir > .secrets.baseline
echo "✅ Blank .secrets.baseline file created successfully."
rm -r empty-dir
else
echo "✅ Existing .secrets.baseline file detected. No new baseline file will be created."
fi
- name: Scan
run: |
# scripts scan repository for new secrets
# backup list of known secrets
cp -pr .secrets.baseline .secrets.new
# find secrets in the repository
detect-secrets scan --disable-plugin AbsolutePathDetectorExperimental --baseline .secrets.new \
--exclude-files '\.secrets..*' \
--exclude-files '\.git.*' \
--exclude-files '\.mypy_cache' \
--exclude-files '\.pytest_cache' \
--exclude-files '\.tox' \
--exclude-files '\.venv' \
--exclude-files 'venv' \
--exclude-files 'dist' \
--exclude-files 'build' \
--exclude-files '.*\.egg-info'
# break build when new secrets discovered
# function compares baseline/new secrets w/o listing results -- success(0) when new secret found
compare_secrets() { diff <(jq -r '.results | keys[] as $key | "\($key),\(.[$key] | .[] | .hashed_secret)"' "${1}" | sort) <(jq -r '.results | keys[] as $key | "\($key),\(.[$key] | .[] | .hashed_secret)"' "${2}" | sort) | grep -q '>' ; }
# test baseline versus new secret files
if compare_secrets .secrets.baseline .secrets.new;
then
echo "⚠️ Attention Required! ⚠️" >&2
echo "New secrets have been detected in your recent commit. Due to security concerns, we cannot display detailed information here and we cannot proceed until this issue is resolved." >&2
echo "" >&2
echo "Please follow the steps below on your local machine to reveal and handle the secrets:" >&2
echo "" >&2
echo "1️⃣ Run the 'detect-secrets' tool on your local machine. This tool will identify and clean up the secrets. You can find detailed instructions at this link: https://nasa-ammos.github.io/slim/continuous-testing/starter-kits/#detect-secrets" >&2
echo "" >&2
echo "2️⃣ After cleaning up the secrets, commit your changes and re-push your update to the repository." >&2
echo "" >&2
echo "Your efforts to maintain the security of our codebase are greatly appreciated!" >&2
exit 1
else
echo "🟢 Secrets tests PASSED! 🟢" >&1
echo "No new secrets were detected in comparison to any baseline configurations." >&1
exit 0
fi