-
Notifications
You must be signed in to change notification settings - Fork 9
Expand file tree
/
Copy pathmodule.yaml
More file actions
75 lines (68 loc) · 2.62 KB
/
module.yaml
File metadata and controls
75 lines (68 loc) · 2.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
api_version: 1.0
id: boostsecurityio/gitleaks
name: Gitleaks
namespace: boostsecurityio/gitleaks
scan_types:
- secrets
config:
support_diff_scan: true
setup:
- name: Download Gitleaks
environment:
VERSION: 8.28.0
LINUX_X86_64_SHA: a65b5253807a68ac0cafa4414031fd740aeb55f54fb7e55f386acb52e6a840eb
LINUX_ARM64_SHA: eff65261156100e5d94a6b3dec313d532fddfe19ae1590bf7a2b4f2699128356
MACOS_ARM64_SHA: d942f3ad147250c9edbaab3fed9e482f98d3b59ba10ae97b8d75647e3ade492c
MACOS_X86_64_SHA: edf5a507008b0d2ef4959575772772770586409c1f6f74dabf19cbe7ec341ced
run: |
BINARY_URL="https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}"
ARCH=$(uname -m)
case "$(uname -sm)" in
"Linux x86_64")
BINARY_URL="${BINARY_URL}/gitleaks_${VERSION}_linux_x64.tar.gz"
SHA="${LINUX_X86_64_SHA} gitleaks.tgz"
;;
"Linux aarch64")
BINARY_URL="${BINARY_URL}/gitleaks_${VERSION}_linux_arm64.tar.gz"
SHA="${LINUX_ARM64_SHA} gitleaks.tgz"
;;
"Darwin arm64")
BINARY_URL="${BINARY_URL}/gitleaks_${VERSION}_darwin_arm64.tar.gz"
SHA="${MACOS_ARM64_SHA} gitleaks.tgz"
;;
"Darwin x86_64")
BINARY_URL="${BINARY_URL}/gitleaks_${VERSION}_darwin_x64.tar.gz"
SHA="${MACOS_X86_64_SHA} gitleaks.tgz"
;;
*)
echo "Unsupported machine: ${OPTARG}"
exit 1
;;
esac
curl -o gitleaks.tgz -fsSL "${BINARY_URL}"
echo "${SHA}" | sha256sum --check
tar --no-same-owner -zxf gitleaks.tgz gitleaks
rm gitleaks.tgz
chmod +x gitleaks
- name: Copy Boost Gitleaks Rules
run: |
cp $REGISTRY_MODULE_PATH/boost.toml $SETUP_PATH/
steps:
- scan:
format: sarif
command:
environment:
GITLEAKS_CONFIG: ${GITLEAKS_CONFIG:-}
run: |
[ -z "$GITLEAKS_CONFIG" ] && [ -z "$GITLEAKS_CONFIG_TOML" ] && [ ! -f ".gitleaks.toml" ] && cp $SETUP_PATH/boost.toml .gitleaks.toml || true
$SETUP_PATH/gitleaks dir --no-banner --exit-code 0 --report-format sarif --report-path $SETUP_PATH/gitleaks-output.sarif -l error .
cat $SETUP_PATH/gitleaks-output.sarif
post-processor:
- docker:
command: process
image: public.ecr.aws/boostsecurityio/boost-scanner-gitleaks:8607e37@sha256:17beaeff56d6aad40b4c215cdaffe87214b387c63487e69f98d413da801d9543
- docker:
command: process
image: public.ecr.aws/boostsecurityio/boost-scanner-keyscope:458e3dd@sha256:6b611b085271e2c8ed15590f536fd4a29221a11752ef7525bbb60be9ad241902
environment:
VALIDATE_SECRET: ${GITLEAKS_VALIDATE_SECRETS:-}