Update secret-scanning.yml

added .gdn/.gdnsettings to force scanning of .tf files

Author: theangrytech-git

.github/workflows/secret-scanning.yml

@@ -1,4 +1,4 @@
-name: msdo-secret-scanning
+name: msdo-secret-scanning 
 
 on:
   workflow_call:
@@ -24,6 +24,38 @@ jobs:
           git clone https://github.com/${{ github.repository }} .
           git checkout ${{ github.ref_name }}
 
+      - name: Inject .gdnsettings to force .tf secret scanning
+        run: |
+          mkdir -p .gdn
+          cat <<EOF > .gdn/.gdnsettings
+          {
+            "version": "1.0",
+            "fileFiltering": {
+              "filePathIncludes": ["**/*.tf"],
+              "fileNameExcludes": [],
+              "filePathExcludes": []
+            },
+            "toolConfigurations": {
+              "credscan": {
+                "enabled": true,
+                "parameters": {
+                  "extension": ".tf",
+                  "scanUnknownExtensions": true,
+                  "severity": "high"
+                }
+              }
+            },
+            "break": {
+              "policies": [
+                {
+                  "tool": "credscan",
+                  "minimumSeverity": "medium"
+                }
+              ]
+            }
+          }
+EOF
+
       - name: Set tool to only run secret scan
         run: echo "TOOLS=credscan" >> $GITHUB_ENV
 
@@ -68,8 +100,8 @@ jobs:
           "checkout_uri": "https://github.com/${{ github.repository }}",
           "tool_name": "MSDO-CredScan"
           }
-          EOF
-          
+EOF
+
       # - name: Alert to Microsoft Teams on secret detection
       #   if: github.repository_visibility == 'public'
       #   run: |