@@ -111,6 +111,39 @@ jobs:
111111 echo "findings=$count" >> $GITHUB_OUTPUT
112112 echo "detect-secrets found $count potential secrets"
113113
114+ gitleaks :
115+ runs-on : ubuntu-latest
116+ outputs :
117+ count : ${{ steps.count.outputs.findings }}
118+ steps :
119+ - name : Checkout code
120+ uses : actions/checkout@v4
121+ with :
122+ fetch-depth : 0
123+
124+ - name : Install gitleaks
125+ run : |
126+ wget -O gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/download/v8.18.4/gitleaks_8.18.4_linux_x64.tar.gz
127+ tar -xf gitleaks.tar.gz
128+ sudo mv gitleaks /usr/local/bin/
129+ gitleaks version
130+
131+ - name : Run gitleaks scan
132+ run : |
133+ gitleaks detect --source . --report-format json --report-path gitleaks_output.json --no-git || echo "Gitleaks scan completed"
134+ continue-on-error : true
135+
136+ - name : Count gitleaks findings
137+ id : count
138+ run : |
139+ count=0
140+ if [ -f gitleaks_output.json ]; then
141+ # Count findings in JSON output
142+ count=$(jq 'length' gitleaks_output.json 2>/dev/null || echo "0")
143+ fi
144+ echo "findings=$count" >> $GITHUB_OUTPUT
145+ echo "gitleaks found $count secrets"
146+
114147gittyleaks :
115148 runs-on : ubuntu-latest
116149 outputs :
@@ -138,8 +171,8 @@ jobs:
138171 run : |
139172 count=0
140173 if [ -f gittyleaks_output.txt ]; then
141- # Count lines that contain findings
142- count=$(grep -c "Found " gittyleaks_output.txt || echo "0")
174+ # Count lines that contain findings (exclude header/footer lines)
175+ count=$(grep ": " gittyleaks_output.txt | grep -v "Bot Detective" | grep -v "^---" | wc -l || echo "0")
143176 fi
144177 echo "findings=$count" >> $GITHUB_OUTPUT
145178 echo "gittyleaks found $count secrets"
@@ -157,13 +190,20 @@ jobs:
157190 with :
158191 python-version : ' 3.11'
159192
160- - name : Install whispers
193+ - name : Install whispers (with timeout handling)
161194 run : |
162- pip install whispers
195+ # Try to install whispers with a timeout and fallback
196+ timeout 300 pip install whispers || echo "Failed to install whispers"
197+ continue-on-error : true
163198
164199 - name : Run whispers scan
165200 run : |
166- whispers . --output whispers_output.json --format json
201+ if command -v whispers >/dev/null 2>&1; then
202+ whispers . --output whispers_output.json --format json || echo "Whispers scan failed"
203+ else
204+ echo "Whispers not available, skipping scan"
205+ echo "[]" > whispers_output.json
206+ fi
167207continue-on-error : true
168208
169209 - name : Count whispers findings
@@ -172,7 +212,7 @@ jobs:
172212 count=0
173213 if [ -f whispers_output.json ]; then
174214 # Count findings in JSON output
175- count=$(jq 'length' whispers_output.json || echo "0")
215+ count=$(jq 'length' whispers_output.json 2>/dev/null || echo "0")
176216 fi
177217 echo "findings=$count" >> $GITHUB_OUTPUT
178218 echo "whispers found $count secrets"
@@ -196,22 +236,22 @@ jobs:
196236
197237 - name : Run trufflehog3 scan
198238 run : |
199- trufflehog3 . --format json > trufflehog3_output.json 2>&1
239+ trufflehog3 . --format json > trufflehog3_output.json 2>&1 || echo "TruffleHog3 scan completed with warnings"
200240continue-on-error : true
201241
202242 - name : Count trufflehog3 findings
203243 id : count
204244 run : |
205245 count=0
206246 if [ -f trufflehog3_output.json ]; then
207- # Count JSON objects ( each line is a finding)
208- count=$(cat trufflehog3_output.json | jq -s 'length' || echo "0")
247+ # Count findings - each line that starts with '{' is a finding
248+ count=$(grep -c '^{' trufflehog3_output.json || echo "0")
209249 fi
210250 echo "findings=$count" >> $GITHUB_OUTPUT
211251 echo "trufflehog3 found $count secrets"
212252
213253summary :
214- needs : [trufflehog, git-secrets, detect-secrets, gittyleaks, whispers, trufflehog3]
254+ needs : [trufflehog, git-secrets, gitleaks, detect-secrets, gittyleaks, whispers, trufflehog3]
215255 runs-on : ubuntu-latest
216256 steps :
217257 - name : Create Summary Report
@@ -222,19 +262,21 @@ jobs:
222262 echo "|---------|---------------|" >> $GITHUB_STEP_SUMMARY
223263 echo "| TruffleHog | ${{ needs.trufflehog.outputs.count }} |" >> $GITHUB_STEP_SUMMARY
224264 echo "| git-secrets | ${{ needs.git-secrets.outputs.count }} |" >> $GITHUB_STEP_SUMMARY
265+ echo "| gitleaks | ${{ needs.gitleaks.outputs.count }} |" >> $GITHUB_STEP_SUMMARY
225266 echo "| detect-secrets | ${{ needs.detect-secrets.outputs.count }} |" >> $GITHUB_STEP_SUMMARY
226267 echo "| gittyleaks | ${{ needs.gittyleaks.outputs.count }} |" >> $GITHUB_STEP_SUMMARY
227268 echo "| whispers | ${{ needs.whispers.outputs.count }} |" >> $GITHUB_STEP_SUMMARY
228269 echo "| trufflehog3 | ${{ needs.trufflehog3.outputs.count }} |" >> $GITHUB_STEP_SUMMARY
229270 echo "" >> $GITHUB_STEP_SUMMARY
230- echo "**Total unique scanning tools tested:** 6 " >> $GITHUB_STEP_SUMMARY
271+ echo "**Total unique scanning tools tested:** 7 " >> $GITHUB_STEP_SUMMARY
231272 echo "" >> $GITHUB_STEP_SUMMARY
232273 echo "_This benchmark helps understand the relative effectiveness of different secret scanning tools on the OWASP WrongSecrets repository._" >> $GITHUB_STEP_SUMMARY
233274
234275 # Also output to console
235276 echo "=== Secret Scanner Comparison Results ==="
236277 echo "TruffleHog: ${{ needs.trufflehog.outputs.count }} secrets"
237278 echo "git-secrets: ${{ needs.git-secrets.outputs.count }} secrets"
279+ echo "gitleaks: ${{ needs.gitleaks.outputs.count }} secrets"
238280 echo "detect-secrets: ${{ needs.detect-secrets.outputs.count }} secrets"
239281 echo "gittyleaks: ${{ needs.gittyleaks.outputs.count }} secrets"
240282 echo "whispers: ${{ needs.whispers.outputs.count }} secrets"
0 commit comments