Ianjensenisme/111 secure archives (#274)

* Switching gitleaks scanning to the command-line tool to add archive depth configurability.

* Add gitleaks scan to pre-commit-config

* Version fix, precommit setup

Author: ianjensenisme

.github/workflows/azure-dev.yml

@@ -55,13 +55,26 @@ jobs:
 
       - name: Install GitLeaks
         run: |
-          curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.17.0/gitleaks_8.17.0_linux_x64.tar.gz -o gitleaks.tar.gz
+          curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.28.0/gitleaks_8.28.0_linux_x64.tar.gz -o gitleaks.tar.gz
           tar -xzf gitleaks.tar.gz
           chmod +x gitleaks
           sudo mv gitleaks /usr/local/bin/
           rm gitleaks.tar.gz
           gitleaks version
 
+      - name: Run GitLeaks Scan
+        env:
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
+        run: |
+          gitleaks detect \
+            --verbose \
+            --max-archive-depth 50 \
+            --report-format sarif \
+            --report-path ./gitleaks-report.sarif \
+            --source . \
+            --exit-code 0 || true
+          echo "GitLeaks scan completed"
+
       - name: Setup .NET SDK
         uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
         with:

.github/workflows/terraform-validate.yml

@@ -119,23 +119,37 @@ jobs:
 
 
 
+      - name: Install GitLeaks
+        run: |
+          curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.28.0/gitleaks_8.28.0_linux_x64.tar.gz -o gitleaks.tar.gz
+          tar -xzf gitleaks.tar.gz
+          chmod +x gitleaks
+          sudo mv gitleaks /usr/local/bin/
+          rm gitleaks.tar.gz
+          gitleaks version
+
       - name: GitLeaks Scan
         id: gitleaks
-        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
-        with:
-          verbosity: "info"
-          report-format: "sarif"
-          report-path: "./gitleaks-report.sarif"
+        run: |
+          echo "Running GitLeaks scan with max archive depth..."
+          gitleaks detect \
+            --verbose \
+            --max-archive-depth 50 \
+            --report-format sarif \
+            --report-path ./gitleaks-report.sarif \
+            --source . \
+            --exit-code 0 || true
+          echo "GitLeaks scan completed"
 
       - name: Upload GitLeaks SARIF report
         if: success() || failure()  # Upload even if GitLeaks finds issues
         uses: github/codeql-action/upload-sarif@9b02dc2f60288b463e7a66e39c78829b62780db7 # v2.22.1
         with:
           directory: ./  # Ensure the report path is correct
-          sarif_file: results.sarif
+          sarif_file: gitleaks-report.sarif
           category: gitleaks
 
       - name: Run Checkov action

.pre-commit-config.yaml

@@ -24,7 +24,11 @@ repos:
       - id: terraform_validate
         args: [infra]
 
-  - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.18.2
+  - repo: local
     hooks:
-      - id: gitleaks
+      - id: gitleaks
+        name: Detect hardcoded secrets in staged files
+        entry: gitleaks
+        args: ['detect', '--verbose', '--max-archive-depth=50', '--no-git']
+        language: system
+        pass_filenames: true