93 lines
3.6 KiB
YAML
93 lines
3.6 KiB
YAML
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
|
|
#
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
#
|
|
# FILE INFORMATION
|
|
# DEFGROUP: Gitea.Workflow
|
|
# INGROUP: MokoStandards.Security
|
|
# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
|
|
# PATH: /templates/workflows/gitleaks.yml.template
|
|
# VERSION: 01.00.00
|
|
# BRIEF: Secret scanning — detect leaked credentials, API keys, and tokens
|
|
#
|
|
# +========================================================================+
|
|
# | SECRET SCANNING |
|
|
# +========================================================================+
|
|
# | |
|
|
# | Scans commits for leaked secrets using Gitleaks. |
|
|
# | |
|
|
# | - PR scan: only new commits in the PR |
|
|
# | - Scheduled: full repo scan weekly |
|
|
# | - Alerts via ntfy on findings |
|
|
# | |
|
|
# +========================================================================+
|
|
|
|
name: "Universal: Secret Scanning"
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '0 5 * * 1' # Weekly Monday 05:00 UTC
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
|
|
NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-security' }}
|
|
|
|
jobs:
|
|
gitleaks:
|
|
name: Gitleaks Secret Scan
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Install Gitleaks
|
|
run: |
|
|
GITLEAKS_VERSION="8.21.2"
|
|
curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
|
|
| tar -xz -C /usr/local/bin gitleaks
|
|
gitleaks version
|
|
|
|
- name: Scan for secrets
|
|
id: scan
|
|
run: |
|
|
echo "### Secret Scanning" >> $GITHUB_STEP_SUMMARY
|
|
ARGS="--source . --verbose --report-format json --report-path /tmp/gitleaks-report.json"
|
|
|
|
if [ "${{ github.event_name }}" = "pull_request" ]; then
|
|
# Scan only PR commits
|
|
ARGS="$ARGS --log-opts=${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}"
|
|
echo "Scanning PR commits only" >> $GITHUB_STEP_SUMMARY
|
|
else
|
|
echo "Full repository scan" >> $GITHUB_STEP_SUMMARY
|
|
fi
|
|
|
|
if gitleaks detect $ARGS 2>&1; then
|
|
echo "result=clean" >> "$GITHUB_OUTPUT"
|
|
echo "**No secrets detected.**" >> $GITHUB_STEP_SUMMARY
|
|
else
|
|
echo "result=found" >> "$GITHUB_OUTPUT"
|
|
FINDINGS=$(jq length /tmp/gitleaks-report.json 2>/dev/null || echo "unknown")
|
|
echo "**${FINDINGS} potential secret(s) detected.**" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
echo "Review the findings and rotate any exposed credentials immediately." >> $GITHUB_STEP_SUMMARY
|
|
exit 1
|
|
fi
|
|
|
|
- name: Notify on findings
|
|
if: failure() && steps.scan.outputs.result == 'found'
|
|
run: |
|
|
REPO="${{ github.event.repository.name }}"
|
|
curl -sS \
|
|
-H "Title: ${REPO} — secrets detected in code" \
|
|
-H "Tags: rotating_light,key" \
|
|
-H "Priority: urgent" \
|
|
-d "Gitleaks found potential secrets. Review and rotate credentials immediately." \
|
|
"${NTFY_URL}/${NTFY_TOPIC}" || true
|