Create secrets-scan.yml #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secret Scanning Pipeline | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| jobs: | |
| secret-scan: | |
| runs-on: self-hosted # Use self-hosted runner on localhost | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Run git-secrets scan | |
| run: | | |
| git secrets --install # Install git-secrets hooks locally | |
| git secrets --register-aws # Register common AWS patterns | |
| git secrets --scan --recursive | |
| continue-on-error: true # Continue to the next step even if this one fails | |
| - name: Run Gitleaks scan | |
| run: | | |
| gitleaks detect --source . --report-format json --report-path gitleaks-report.json | |
| continue-on-error: true | |
| - name: Run TruffleHog scan | |
| run: | | |
| trufflehog filesystem . --json > trufflehog-report.json | |
| continue-on-error: true | |
| # Optional: Upload reports as artifacts | |
| - name: Upload secret scan reports | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: secret-scan-reports | |
| path: | | |
| gitleaks-report.json | |
| trufflehog-report.json |