From b968d2d76d93006e2ae15aa663102ba750552028 Mon Sep 17 00:00:00 2001 From: ThomasCardin Date: Wed, 4 Dec 2024 15:54:19 -0500 Subject: [PATCH] issue #172: start, missing vault fetch secret step --- .../workflows/workflow-detect-secret-leaks.md | 0 .../workflow-detect-secret-leaks.yml | 48 +++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 .github/workflows/workflow-detect-secret-leaks.md create mode 100644 .github/workflows/workflow-detect-secret-leaks.yml diff --git a/.github/workflows/workflow-detect-secret-leaks.md b/.github/workflows/workflow-detect-secret-leaks.md new file mode 100644 index 00000000..e69de29b diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml new file mode 100644 index 00000000..492bb138 --- /dev/null +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -0,0 +1,48 @@ +name: Detect secrets leaks + +on: + workflow_call: + push: + branches: + - "**" + pull_request: + branches: + - "**" + +jobs: + detect-secret-leaks: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Install git-secrets + run: | + sudo apt-get update + sudo apt-get install -y git + git clone https://github.com/awslabs/git-secrets.git + cd git-secrets + sudo make install + git secrets --version + + - name: Configure git-secrets + run: | + git secrets --install + + - name: Add API keys to git-secrets + env: + API_KEYS: ${{ secrets.AI_CFIA_API_KEYS }} + run: | + echo "$API_KEYS" > api_keys.txt + while IFS= read -r api_key; do + git secrets --add --literal "$api_key" + done < api_keys.txt + rm -f api_keys.txt + + - name: Scan repository for secrets + run: | + git secrets --scan -r + + - name: Remove git-secrets patterns + run: | + git config --remove-section git-secrets || true