Skip to content

Commit 7ad21c5

Browse files
theangrytech-gittheangrytech-git
authored
Update secret-scanning.yml
Refactored so no external actions are used, manual repo checkouts, .net 6 LTS installed, and SARIF upload logic has been setup.
1 parent 3f4d95c commit 7ad21c5

File tree

1 file changed

+30
-9
lines changed

1 file changed

+30
-9
lines changed

.github/workflows/secret-scanning.yml

Lines changed: 30 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -16,32 +16,53 @@ jobs:
1616
security-events: write
1717

1818
steps:
19-
- name: Checkout code
19+
- name: Checkout repository manually
2020
run: |
2121
git clone https://github.com/${{ github.repository }} .
2222
git checkout ${{ github.ref_name }}
2323
2424
- name: Set tool to only run secret scan
2525
run: echo "TOOLS=credscan" >> $GITHUB_ENV
2626

27-
- name: Install .NET 6 SDK
27+
- name: Install .NET 6 SDK (for CredScan)
2828
run: |
2929
wget https://dot.net/v1/dotnet-install.sh -O dotnet-install.sh
3030
chmod +x dotnet-install.sh
3131
./dotnet-install.sh --version 6.0.415 --install-dir "$HOME/dotnet"
32+
3233
echo "DOTNET_ROOT=$HOME/dotnet" >> $GITHUB_ENV
33-
echo "$HOME/dotnet" >> $GITHUB_PATH
34+
echo "$HOME/dotnet" >> $GITHUB_PATH
3435
3536
- name: Run Microsoft Security DevOps - Secret Scan
3637
uses: theangrytech-git/security-devops-action@main
3738
id: msdo
3839
with:
3940
tools: ${{ env.TOOLS }}
4041

41-
- name: Upload alerts to GitHub code scanning
42+
- name: Upload SARIF to GitHub Code Scanning
4243
if: github.repository_visibility == 'public'
43-
uses: ./.github/actions/upload-sarif
44-
with:
45-
sarif_file: ${{ steps.msdo.outputs.sarifFile }}
46-
env:
47-
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
44+
run: |
45+
echo "Compressing and uploading SARIF..."
46+
sarif_file="${{ steps.msdo.outputs.sarifFile }}"
47+
if [ ! -f "$sarif_file" ]; then
48+
echo "SARIF file not found at $sarif_file"
49+
exit 0
50+
fi
51+
52+
gzip -c "$sarif_file" | base64 -w 0 > msdo.sarif.base64
53+
encoded_sarif=$(cat msdo.sarif.base64)
54+
55+
curl -s -X POST \
56+
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
57+
-H "Accept: application/vnd.github+json" \
58+
-H "Content-Type: application/json" \
59+
https://api.github.com/repos/${{ github.repository }}/code-scanning/sarifs \
60+
-d @- <<EOF
61+
{
62+
"commit_sha": "${{ github.sha }}",
63+
"ref": "${{ github.ref }}",
64+
"sarif": "$encoded_sarif",
65+
"checkout_uri": "https://github.com/${{ github.repository }}",
66+
"tool_name": "MSDO-CredScan"
67+
}
68+
EOF

0 commit comments

Comments
 (0)