forked from spectrocloud/pack-central
-
Notifications
You must be signed in to change notification settings - Fork 1
48 lines (43 loc) · 1.78 KB
/
bulwark-gitleaks-pr-validation.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
name: BulwarkGitLeaks
on: [pull_request]
concurrency:
group: gitleaks-${{ github.ref }}
cancel-in-progress: true
jobs:
gitleaks-scan:
runs-on: ubuntu-latest
container:
image: gcr.io/spectro-dev-public/bulwark/gitleaks:latest
env:
REPO: ${{ github.event.repository.name }}
BRANCH: ${{ github.head_ref || github.ref_name }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_CONFIG: config.toml
steps:
- name: run-bulwark-gitleaks-scan
if: github.event.pull_request.head.repo.full_name == github.repository
shell: sh
env:
BRANCH: ${{ github.head_ref || github.ref_name }}
run: /workspace/bulwark -name CodeSASTGitLeaks -target $REPO -tags "branch:$BRANCH,options:--log-opts origin..HEAD"
- name: run-bulwark-gitleaks-scan-from-fork
if: github.event.pull_request.head.repo.full_name != github.repository
shell: sh
run: |
git clone https://github.com/${{ github.event.pull_request.head.repo.full_name }}.git -b ${BRANCH}
cd ${REPO}
git remote add scRepo https://github.com/${{ github.repository }}.git
git fetch scRepo
/workspace/bulwark -name CodeSASTGitLeaks -target pwd -tags "branch:$BRANCH,options:--log-opts HEAD..scRepo/${{ github.base_ref }}"
- name: check-result
shell: sh
run: |
resultPath=./$REPO/gitleaks.json
cat $resultPath | grep -v \"Match\"\: | grep -v \"Secret\"\:
total_failed_tests=`cat $resultPath | grep \"Fingerprint\"\: | wc -l`
if [ "$total_failed_tests" -gt 0 ]; then
echo "GitLeaks validation check failed with above findings..."
exit 1
else
echo "GitLeaks validation check passed"
fi