diff --git a/.github/workflows/leak-scan.yml b/.github/workflows/leak-scan.yml index 1acf071..2ce390a 100644 --- a/.github/workflows/leak-scan.yml +++ b/.github/workflows/leak-scan.yml @@ -27,6 +27,14 @@ on: required: false type: string default: default + exclude-paths: + description: > + Space-separated path prefixes to exclude from the pr-diff deny-list scan. + Files whose paths start with any of these prefixes are skipped. + Only effective in pr-diff mode. + required: false + type: string + default: "" outputs: gate-summary-artifact: description: Artifact name containing the SC-4 gate-summary.json. @@ -64,6 +72,7 @@ jobs: base-ref: ${{ inputs.base-ref }} head-ref: ${{ inputs.head-ref }} deny-list: ${{ inputs.deny-list }} + exclude-paths: ${{ inputs.exclude-paths }} # Always upload gate-summary-leak-scan (SC-4 fail-safe) - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 diff --git a/actions/leak-scan/action.yml b/actions/leak-scan/action.yml index c0e1324..026830d 100644 --- a/actions/leak-scan/action.yml +++ b/actions/leak-scan/action.yml @@ -24,6 +24,13 @@ inputs: description: SC-8 mode key (default | deployment-artifact | deployment-composition). required: false default: default + exclude-paths: + description: > + Space-separated path prefixes to exclude from the pr-diff deny-list scan. + Files whose paths start with any of these prefixes are skipped. + Only effective in pr-diff mode. + required: false + default: "" runs: using: composite @@ -36,5 +43,6 @@ runs: BASE_REF: ${{ inputs.base-ref }} HEAD_REF: ${{ inputs.head-ref }} DENY_LIST: ${{ inputs.deny-list }} + EXCLUDE_PATHS: ${{ inputs.exclude-paths }} GW_ROOT: ${{ github.action_path }}/../.. run: bash "${{ github.action_path }}/run.sh" diff --git a/actions/leak-scan/run.sh b/actions/leak-scan/run.sh index 9349085..a853684 100755 --- a/actions/leak-scan/run.sh +++ b/actions/leak-scan/run.sh @@ -176,6 +176,28 @@ run_pr_diff_scan() { return 0 fi + # Apply EXCLUDE_PATHS: filter out files whose paths start with any excluded prefix. + # EXCLUDE_PATHS is a space-separated list of path prefixes (e.g. ".internal-context/"). + local filtered_files="$changed_files" + if [[ -n "${EXCLUDE_PATHS:-}" ]]; then + for excl_prefix in $EXCLUDE_PATHS; do + filtered_files=$(printf '%s\n' "$filtered_files" \ + | grep -v "^${excl_prefix}" || true) + done + local excluded_count + excluded_count=$(( $(printf '%s\n' "$changed_files" | grep -c .) - $(printf '%s\n' "$filtered_files" | grep -c . || echo 0) )) + if [[ $excluded_count -gt 0 ]]; then + printf '::notice::leak-scan: excluded %d path(s) matching EXCLUDE_PATHS prefixes\n' \ + "$excluded_count" + fi + changed_files="$filtered_files" + fi + + if [[ -z "$changed_files" ]]; then + emit_gate_summary "leak-scan" "Leak Scan" "pass" "no-changed-files-after-exclusion" "none" --redacted + return 0 + fi + printf '%s\n' "$changed_files" > changed-files.txt local gitleaks_exit=0