diff --git a/.env b/.env new file mode 100644 index 0000000..2660a91 --- /dev/null +++ b/.env @@ -0,0 +1,2 @@ +MY_API_KEY=super-secret-api-key +MY_SUPER_SECRET_PASSWORD=this-is-my-password diff --git a/.github/workflows/workflow-detect-secret-leaks.md b/.github/workflows/workflow-detect-secret-leaks.md new file mode 100644 index 0000000..e69de29 diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml new file mode 100644 index 0000000..2b45bb1 --- /dev/null +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -0,0 +1,58 @@ +name: Detect secrets leaks + +on: + workflow_call: + push: + branches: + - '**' + +jobs: + detect-secret-leaks: + runs-on: gh-runner + permissions: + contents: read + id-token: write + steps: + - name: Checkout code + uses: actions/checkout@v3 + + # https://github.com/hashicorp/vault-action?tab=readme-ov-file#multiple-secrets + # https://github.com/hashicorp/vault-action?tab=readme-ov-file#example-usage + - name: Authenticate with Vault using GitHub OIDC and retrieve secrets + uses: hashicorp/vault-action@v3.0.0 + with: + url: https://vault.vault.svc.cluster.local:8200 + method: github + tlsSkipVerify: true + githubToken: ${{ secrets.VAULT_TOKEN }} + secrets: | + kv/data/test * | VAULTACTIONKEY_; + + - name: Install git-secrets + run: | + sudo apt-get update + sudo apt-get install -y git build-essential + git clone https://github.com/awslabs/git-secrets.git + cd git-secrets + sudo make install + + - name: Add API keys to git-secrets + run: | + set +H + set -f + for var in $(compgen -e VAULTACTIONKEY_); do + value="${!var}" + if [ -n "$value" ]; then + git secrets --add --literal "$value" || echo "git secrets failed for variable $var" >&2 + else + echo "Skipping empty variable $var" + fi + done + + - name: Scan repository for secrets + run: | + git secrets --scan -r + + - name: Remove git-secrets patterns + run: | + git config --remove-section git-secrets || true