generated from amazon-archives/__template_Apache-2.0
-
Notifications
You must be signed in to change notification settings - Fork 8
69 lines (56 loc) · 2.05 KB
/
git-secrets-scan.yml
File metadata and controls
69 lines (56 loc) · 2.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
name: git-secrets-scan
on:
pull_request:
types: [opened, synchronize, reopened]
jobs:
scan-for-secrets:
runs-on: ubuntu-latest
steps:
- name: Checkout PR code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install git-secrets
run: |
git clone https://github.com/awslabs/git-secrets.git
cd git-secrets
sudo make install
- name: Configure git-secrets
run: |
git secrets --install
git secrets --register-aws
- name: Get base and head commit SHAs
id: pr_info
run: |
# Validate SHA format (40 hex characters)
base_sha=$(jq -r .pull_request.base.sha $GITHUB_EVENT_PATH)
head_sha=$(jq -r .pull_request.head.sha $GITHUB_EVENT_PATH)
if [[ ! "$base_sha" =~ ^[a-f0-9]{40}$ ]]; then
echo "::error::Invalid base SHA format: $base_sha"
exit 1
fi
if [[ ! "$head_sha" =~ ^[a-f0-9]{40}$ ]]; then
echo "::error::Invalid head SHA format: $head_sha"
exit 1
fi
echo "base_sha=$base_sha" >> $GITHUB_OUTPUT
echo "head_sha=$head_sha" >> $GITHUB_OUTPUT
- name: Scan diff for secrets
run: |
# Additional validation before git diff
base_sha="${{ steps.pr_info.outputs.base_sha }}"
head_sha="${{ steps.pr_info.outputs.head_sha }}"
# Verify commits exist in repository
if ! git cat-file -e "$base_sha" 2>/dev/null; then
echo "::error::Base commit $base_sha not found"
exit 1
fi
if ! git cat-file -e "$head_sha" 2>/dev/null; then
echo "::error::Head commit $head_sha not found"
exit 1
fi
# Scan with timeout protection
timeout 300 git diff "$base_sha".."$head_sha" | git secrets --scan - || {
echo "::error::git-secrets detected sensitive content in this PR."
exit 1
}