MSDO/msdo-gitleaks.yml at main · theangrytech-git/MSDO · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
name: msdo-secret-scanning-gitleaks

on:
  workflow_call:
    inputs:
      branch:
        required: false
        type: string
        default: 'main'
    secrets:
      GH_TOKEN:
        required: false

jobs:
  gitleaks-scan:
    name: Gitleaks Secret Scan
    runs-on: ubuntu-latest

    permissions:
      contents: read
      id-token: write
      actions: read
      security-events: write

    steps:
      - name: Checkout repository manually
        run: |
          git clone https://github.com/${{ github.repository }} .
          git checkout ${{ github.ref_name }}

      - name: Fetch Gitleaks config from MSDO
      #This section will need to be edited to match wherever the repo will be copied to
        run: |
          echo "Fetching .gitleaks.toml from MSDO repo..."
          curl -sSL https://raw.githubusercontent.com/theangrytech-git/MSDO/main/gitleaks.toml -o .gitleaks.toml

      - name: Run Gitleaks
        run: |
          echo "Downloading Gitleaks..."
          curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz -o gitleaks.tar.gz
          tar -xzf gitleaks.tar.gz gitleaks
          chmod +x gitleaks
          ./gitleaks version

          echo " Running Gitleaks scan..."
          ./gitleaks detect \
          --source=. \
          --config=.gitleaks.toml \
          --report-format sarif \
          --report-path=gitleaks.sarif \
          --exit-code 0

      - name: Upload SARIF to GitHub Code Scanning
        if: github.repository_visibility == 'public'
        run: |
          echo "Compressing and uploading SARIF..."
          if [ ! -f "gitleaks.sarif" ]; then
            echo "SARIF file not found"
            exit 0
          fi

          gzip -c gitleaks.sarif | base64 -w 0 > gitleaks.sarif.base64
          encoded_sarif=$(cat gitleaks.sarif.base64)

          curl -s -X POST \
            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
            -H "Accept: application/vnd.github+json" \
            -H "Content-Type: application/json" \
            https://api.github.com/repos/${{ github.repository }}/code-scanning/sarifs \
            -d @- <<EOF
          {
            "commit_sha": "${{ github.sha }}",
            "ref": "${{ github.ref }}",
            "sarif": "$encoded_sarif",
            "checkout_uri": "https://github.com/${{ github.repository }}",
            "tool_name": "Gitleaks"
          }
          EOF