Add secret-scanner.yml prevention workflow

hyperpolymath · hyperpolymath · commit 34ca0c0a45b8 · 2025-12-29T17:09:44.000Z
diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml
@@ -0,0 +1,67 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Prevention workflow - scans for hardcoded secrets before they reach main
+name: Secret Scanner
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+permissions: read-all
+
+jobs:
+  trufflehog:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        with:
+          fetch-depth: 0  # Full history for scanning
+
+      - name: TruffleHog Secret Scan
+        uses: trufflesecurity/trufflehog@8a8ef8526528d8a4ff3e2c90be08e25ef8efbd9b # v3
+        with:
+          extra_args: --only-verified --fail
+
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        with:
+          fetch-depth: 0
+
+      - name: Gitleaks Secret Scan
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  # Rust-specific: Check for hardcoded crypto values
+  rust-secrets:
+    runs-on: ubuntu-latest
+    if: hashFiles('**/Cargo.toml') != ''
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+
+      - name: Check for hardcoded secrets in Rust
+        run: |
+          # Patterns that suggest hardcoded secrets
+          PATTERNS=(
+            'const.*SECRET.*=.*"'
+            'const.*KEY.*=.*"[a-zA-Z0-9]{16,}"'
+            'const.*TOKEN.*=.*"'
+            'let.*api_key.*=.*"'
+            'HMAC.*"[a-fA-F0-9]{32,}"'
+            'password.*=.*"[^"]+"'
+          )
+
+          found=0
+          for pattern in "${PATTERNS[@]}"; do
+            if grep -rn --include="*.rs" -E "$pattern" src/; then
+              echo "WARNING: Potential hardcoded secret found matching: $pattern"
+              found=1
+            fi
+          done
+
+          if [ $found -eq 1 ]; then
+            echo "::error::Potential hardcoded secrets detected. Use environment variables instead."
+            exit 1
+          fi
