Fix code formatting and add security infrastructure #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secret Scanning | |
| on: | |
| push: | |
| branches: [ main, master, develop ] | |
| pull_request: | |
| branches: [ main, master, develop ] | |
| jobs: | |
| secret-scan: | |
| name: Detect Secrets | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Full history for comprehensive scanning | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install detect-secrets | |
| run: | | |
| pip install detect-secrets | |
| - name: Run detect-secrets scan | |
| run: | | |
| detect-secrets scan \ | |
| --exclude-files 'configs/.*\.json' \ | |
| --exclude-files '\.md$' \ | |
| --exclude-files 'package-lock\.json' \ | |
| --exclude-files '\.lock$' \ | |
| --baseline .secrets.baseline | |
| - name: Check for secrets in git history (last 100 commits) | |
| run: | | |
| # Scan recent git history for accidentally committed secrets | |
| git log --all --pretty=format: -p -100 | \ | |
| detect-secrets scan --stdin \ | |
| --exclude-files 'configs/.*\.json' \ | |
| --exclude-files '\.md$' || true | |
| - name: Security scan summary | |
| if: always() | |
| run: | | |
| echo "✅ Secret scanning complete" | |
| echo "If secrets were detected, the job will fail above" | |
| echo "To update baseline: detect-secrets scan --baseline .secrets.baseline" |