106 lines
3.4 KiB
YAML
106 lines
3.4 KiB
YAML
# Secrets Scanning Workflow
|
|
# Sprint: CI/CD Enhancement - Security Scanning
|
|
#
|
|
# Purpose: Detect hardcoded secrets, API keys, and credentials in code
|
|
# Triggers: Push to main/develop, all PRs
|
|
#
|
|
# Tool: PLACEHOLDER - Choose one: TruffleHog, Gitleaks, or Semgrep
|
|
|
|
name: Secrets Scanning
|
|
|
|
on:
|
|
push:
|
|
branches: [main, develop]
|
|
pull_request:
|
|
workflow_dispatch:
|
|
inputs:
|
|
scan_history:
|
|
description: 'Scan full git history'
|
|
required: false
|
|
type: boolean
|
|
default: false
|
|
|
|
jobs:
|
|
secrets-scan:
|
|
name: Scan for Secrets
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: ${{ github.event.inputs.scan_history == 'true' && 0 || 50 }}
|
|
|
|
# PLACEHOLDER: Choose your secrets scanner
|
|
# Option 1: TruffleHog (recommended - comprehensive, low false positives)
|
|
# Option 2: Gitleaks (fast, good for CI)
|
|
# Option 3: Semgrep (if already using for SAST)
|
|
|
|
- name: TruffleHog Scan
|
|
id: trufflehog
|
|
# Uncomment when ready to use TruffleHog:
|
|
# uses: trufflesecurity/trufflehog@main
|
|
# with:
|
|
# extra_args: --only-verified
|
|
run: |
|
|
echo "::notice::Secrets scanning placeholder - configure scanner below"
|
|
echo ""
|
|
echo "Available options:"
|
|
echo " 1. TruffleHog: trufflesecurity/trufflehog@main"
|
|
echo " 2. Gitleaks: gitleaks/gitleaks-action@v2"
|
|
echo " 3. Semgrep: returntocorp/semgrep-action@v1"
|
|
echo ""
|
|
echo "To enable, uncomment the appropriate action above"
|
|
|
|
# Alternative: Gitleaks
|
|
# - name: Gitleaks Scan
|
|
# uses: gitleaks/gitleaks-action@v2
|
|
# env:
|
|
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
# GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
|
|
|
|
# Alternative: Semgrep (secrets rules)
|
|
# - name: Semgrep Secrets Scan
|
|
# uses: returntocorp/semgrep-action@v1
|
|
# with:
|
|
# config: p/secrets
|
|
|
|
- name: Upload scan results
|
|
if: always()
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: secrets-scan-results
|
|
path: |
|
|
**/trufflehog-*.json
|
|
**/gitleaks-*.json
|
|
**/semgrep-*.json
|
|
retention-days: 30
|
|
if-no-files-found: ignore
|
|
|
|
summary:
|
|
name: Scan Summary
|
|
runs-on: ubuntu-latest
|
|
needs: [secrets-scan]
|
|
if: always()
|
|
|
|
steps:
|
|
- name: Generate summary
|
|
run: |
|
|
echo "## Secrets Scanning Results" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
|
|
if [[ "${{ needs.secrets-scan.result }}" == "success" ]]; then
|
|
echo "### No secrets detected" >> $GITHUB_STEP_SUMMARY
|
|
elif [[ "${{ needs.secrets-scan.result }}" == "failure" ]]; then
|
|
echo "### Secrets detected - review required" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
echo "Please review the scan artifacts for details." >> $GITHUB_STEP_SUMMARY
|
|
else
|
|
echo "### Scan status: ${{ needs.secrets-scan.result }}" >> $GITHUB_STEP_SUMMARY
|
|
fi
|
|
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
echo "**Scanner:** Placeholder (configure in workflow)" >> $GITHUB_STEP_SUMMARY
|
|
echo "**Trigger:** ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY
|
|
echo "**Branch:** ${{ github.ref_name }}" >> $GITHUB_STEP_SUMMARY
|