Skip to content

Commit

Permalink
Merge pull request #21459 from cevich/simpler_to_read
Browse files Browse the repository at this point in the history
[skip-ci] Make leak-detection readable by humans
  • Loading branch information
openshift-merge-bot[bot] authored Jan 31, 2024
2 parents f7afaf9 + 28856b6 commit 4fde98f
Showing 1 changed file with 29 additions and 5 deletions.
34 changes: 29 additions & 5 deletions .github/workflows/scan-secrets.yml
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,28 @@ jobs:
run: |
echo "depth=$((${{ github.event.pull_request.commits }} + 1))" >> $GITHUB_OUTPUT
# A force-push to a PR can obscure Cirrus-CI logs, but not GHA logs.
# Provide handy URL for examination of secret leaks for all events that
# trigger this action.

- if: github.event_name == 'synchronize' || github.base_ref == ''
name: Provide URL showing code that needs human eyes (force-push or merge)
shell: bash
run: |
echo "Please review force-push or merged-pr changes for secret-leaks:"
before=$(jq -r -e '.before' $GITHUB_EVENT_PATH)
after=$(jq -r -e '.after' $GITHUB_EVENT_PATH)
echo "https://github.com/${{ github.repository }}/compare/${before}...${after}"
- if: github.event_name == 'opened'
name: Provide URL showing code that needs human eyes (newly opened PR)
shell: bash
run: |
echo "Please review new PR changes for secret-leaks:"
before=$(jq -r -e '.github.event.pull_request.base.sha' $GITHUB_EVENT_PATH)
after=$(jq -r -e '.github.event.pull_request.head.sha' $GITHUB_EVENT_PATH)
echo "https://github.com/${{ github.repository }}/compare/${before}...${after}"
- name: Show important context details
shell: bash
run: |
Expand Down Expand Up @@ -123,12 +145,11 @@ jobs:
mkdir ${{ github.workspace }}/_report
touch ${{ github.workspace }}/_report/gitleaks-report.json
# A force-push to a PR can obscure Cirrus-CI logs, but not GHA logs
- name: Show content being scanned
- name: Log all content being scanned to file for archiving
shell: bash
run: |
set -exuo pipefail
${{ env.gitlogcmd }} ${{ steps.gitlog.outputs.range }}
${{ env.gitlogcmd }} ${{ steps.gitlog.outputs.range }} >> ${{ github.workspace }}/git_commits.log
# Unfortunately gitleaks provides several in-built ways to
# completely bypass an alert within PR-level commits. Assume
Expand Down Expand Up @@ -183,12 +204,15 @@ jobs:
$glfqin \
detect $glargs --log-opts=${{ steps.gitlog.outputs.range }}
- name: Collect scan report artifact
- name: Collect git commits log and gitleaks scan report
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: gitleaks-report
path: ${{ github.workspace }}/_report/gitleaks-report.json
path: |
${{ github.event_path }}
${{ github.workspace }}/git_commits.log
${{ github.workspace }}/_report/gitleaks-report.json
# Nobody monitors the actions-tab for failures, and may not see this
# fail on push to a nefarious PR. Send an e-mail alert to unmask
Expand Down

0 comments on commit 4fde98f

Please sign in to comment.