Encode-Decode-Google-Polyline/.github/workflows/gitleaks.yml at main · mapup/Encode-Decode-Google-Polyline · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
name: Gitleaks Secret Scan
on:
  pull_request:
    branches: [main, master]
  schedule:
    - cron: '0 4 * * *'
  workflow_dispatch:     # Enables manual run
    inputs:
      reason:
        description: "Reason for manual run"
        required: false
        default: "Manual security scan"

jobs:
  gitleaks:
    name: Scan for secrets
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install gitleaks
        run: |
          GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep '"tag_name"' | sed 's/.*"v\(.*\)".*/\1/')
          curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | tar -xz -C /usr/local/bin gitleaks

      - name: Run gitleaks
        run: |
          gitleaks detect --source . --verbose --redact --report-format sarif --report-path gitleaks-report.sarif || true
          gitleaks detect --source . --verbose --redact --report-format json --report-path gitleaks-report.json || true

      # - name: Upload SARIF report
      #   if: always()
      #   uses: github/codeql-action/upload-sarif@v3
      #   with:
      #     sarif_file: gitleaks-report.sarif

      - name: Send JSON to endpoint
        if: always()
        run: |
          curl -X POST "${{ secrets.SAST_GITLEAK_WEBHOOK_URL }}?branch=${{ github.head_ref || github.ref_name }}&&repo=${{ github.event.repository.name }}" \
            -H "Content-Type: application/json" \
            -H "Authorization: Bearer ${{ secrets.SAST_WEBHOOK_TOKEN }}" \
            -d @gitleaks-report.json

# name: Gitleaks Secret Scan
# on:
#   pull_request:
#     branches: [main, master]
#   schedule:
#     - cron: '0 3 * * 1'
#   workflow_dispatch:

# jobs:
#   gitleaks:
#     name: Scan for secrets
#     runs-on: ubuntu-latest
#     steps:
#       - uses: actions/checkout@v4
#         with:
#           fetch-depth: 0

#       - name: Install gitleaks
#         run: |
#           GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep '"tag_name"' | sed 's/.*"v\(.*\)".*/\1/')
#           curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | tar -xz -C /usr/local/bin gitleaks

#       - name: Run gitleaks
#         run: gitleaks detect --source . --verbose --redact --report-format sarif --report-path gitleaks-report.sarif

#       - name: Upload SARIF report
#         if: always()
#         uses: github/codeql-action/upload-sarif@v3
#         with:
#           sarif_file: gitleaks-report.sarif

# name: Gitleaks Secret Scan
# on:
#   pull_request:
#     branches: [main, master]
#   schedule:
#     - cron: '0 3 * * 1'  # Weekly Monday 3am UTC
#   workflow_dispatch:       # Allow manual trigger

# jobs:
#   gitleaks:
#     name: Scan for secrets
#     runs-on: ubuntu-latest
#     steps:
#       - uses: actions/checkout@v4
#         with:
#           fetch-depth: 0
#       - uses: gitleaks/gitleaks-action@v2
#         env:
#           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
#           GITLEAKS_ENABLE_COMMENTS: false