Gitleaks #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Gitleaks | |
| on: | |
| pull_request: | |
| workflow_dispatch: | |
| schedule: | |
| # Run at 00:00 UTC on the first day of each month | |
| - cron: '0 0 1 * *' | |
| jobs: | |
| scan: | |
| name: Gitleaks Scan | |
| runs-on: ubuntu-latest | |
| # Only run scheduled jobs on main branch | |
| if: github.event_name != 'schedule' || github.ref == 'refs/heads/main' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run Gitleaks | |
| id: gitleaks | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| continue-on-error: true | |
| - name: Create issue if leaks found | |
| if: steps.gitleaks.outcome == 'failure' && (github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch') | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| echo "Creating detailed security issue report..." | |
| # Get current timestamp | |
| TIMESTAMP=$(date -u +"%Y-%m-%d %H:%M:%S UTC") | |
| # Create an enriched issue body | |
| ISSUE_BODY="## 🚨 Security Alert: Potential Secrets Detected | |
| **Detection Time:** ${TIMESTAMP} | |
| **Branch:** ${GITHUB_REF#refs/heads/} | |
| **Triggered by:** ${{ github.event_name == 'workflow_dispatch' && 'Manual workflow run' || (github.event_name == 'schedule' && 'Monthly scheduled scan' || 'Automated scan') }} | |
| **Detected by:** Gitleaks Security Scanner | |
| ### Details | |
| Gitleaks has detected one or more potential secrets or credentials in the codebase. | |
| ### Impact | |
| Exposed secrets can lead to unauthorized access, data breaches, or account compromise. | |
| ### Next Steps | |
| 1. Review the workflow logs for specific details about the detected secrets: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
| 2. Revoke any exposed credentials immediately | |
| 3. Remove the secrets from the codebase | |
| 4. Consider using GitHub Secrets or environment variables instead | |
| ### Contact | |
| Please reach out to the security team for assistance if needed. | |
| --- | |
| *This issue was automatically generated by the Gitleaks security scanning workflow.*" | |
| gh issue create \ | |
| --repo ${{ github.repository }} \ | |
| --title "Security Alert: Potential secrets detected in ${{ github.event_name == 'pull_request' && format('PR #{0}', github.event.pull_request.number) || 'main branch' }}" \ | |
| --body "${ISSUE_BODY}" |