From b968d2d76d93006e2ae15aa663102ba750552028 Mon Sep 17 00:00:00 2001 From: ThomasCardin Date: Wed, 4 Dec 2024 15:54:19 -0500 Subject: [PATCH 01/22] issue #172: start, missing vault fetch secret step --- .../workflows/workflow-detect-secret-leaks.md | 0 .../workflow-detect-secret-leaks.yml | 48 +++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 .github/workflows/workflow-detect-secret-leaks.md create mode 100644 .github/workflows/workflow-detect-secret-leaks.yml diff --git a/.github/workflows/workflow-detect-secret-leaks.md b/.github/workflows/workflow-detect-secret-leaks.md new file mode 100644 index 0000000..e69de29 diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml new file mode 100644 index 0000000..492bb13 --- /dev/null +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -0,0 +1,48 @@ +name: Detect secrets leaks + +on: + workflow_call: + push: + branches: + - "**" + pull_request: + branches: + - "**" + +jobs: + detect-secret-leaks: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Install git-secrets + run: | + sudo apt-get update + sudo apt-get install -y git + git clone https://github.com/awslabs/git-secrets.git + cd git-secrets + sudo make install + git secrets --version + + - name: Configure git-secrets + run: | + git secrets --install + + - name: Add API keys to git-secrets + env: + API_KEYS: ${{ secrets.AI_CFIA_API_KEYS }} + run: | + echo "$API_KEYS" > api_keys.txt + while IFS= read -r api_key; do + git secrets --add --literal "$api_key" + done < api_keys.txt + rm -f api_keys.txt + + - name: Scan repository for secrets + run: | + git secrets --scan -r + + - name: Remove git-secrets patterns + run: | + git config --remove-section git-secrets || true From 7d1f7c7c889c3af476e873405c73180bcc18e28f Mon Sep 17 00:00:00 2001 From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com> Date: Fri, 6 Dec 2024 10:44:05 -0500 Subject: [PATCH 02/22] issue #172: vault integration --- .../workflow-detect-secret-leaks.yml | 47 ++++++++++++++----- 1 file changed, 35 insertions(+), 12 deletions(-) diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml index 492bb13..11f5325 100644 --- a/.github/workflows/workflow-detect-secret-leaks.yml +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -4,18 +4,45 @@ on: workflow_call: push: branches: - - "**" - pull_request: - branches: - - "**" + - '**' jobs: detect-secret-leaks: - runs-on: ubuntu-latest + runs-on: gh-runner + permissions: + contents: read + id-token: write steps: - name: Checkout code uses: actions/checkout@v3 + - name: Authenticate with Vault using GitHub OIDC + id: vault_auth + uses: hashicorp/vault-action@v2.4.0 + with: + url: http://vault.vault.svc.cluster.local:8200 + caCertificate: ${{ secrets.VAULT_CA_CERT }} + method: github + githubToken: ${{ secrets.VAULT_TOKEN }} + + # https://github.com/hashicorp/vault-action?tab=readme-ov-file#multiple-secrets + - name: Retrieve secrets from Vault + id: get_secrets + uses: hashicorp/vault-action@v2.4.0 + with: + url: ${{ secrets.VAULT_ADDR }} + method: jwt + role: github-actions + secrets: | + secret/kv/fertiscan/frontend * | API_KEY_ ; + secret/kv/fertiscan/frontend * | API_KEY_ ; + secret/kv/fertiscan/database * | API_KEY_ ; + secret/kv/fertiscan-dev * | API_KEY_ ; + secret/kv/nachet * | API_KEY_ ; + secret/kv/finesse * | API_KEY_ + env: + VAULT_TOKEN: ${{ steps.vault_auth.outputs.vault_token }} + - name: Install git-secrets run: | sudo apt-get update @@ -30,14 +57,10 @@ jobs: git secrets --install - name: Add API keys to git-secrets - env: - API_KEYS: ${{ secrets.AI_CFIA_API_KEYS }} run: | - echo "$API_KEYS" > api_keys.txt - while IFS= read -r api_key; do - git secrets --add --literal "$api_key" - done < api_keys.txt - rm -f api_keys.txt + for var in $(compgen -e API_KEY_); do + git secrets --add --literal "${!var}" + done - name: Scan repository for secrets run: | From 8163a9839e903b6d3b00cb7f640db0a46a71675f Mon Sep 17 00:00:00 2001 From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com> Date: Fri, 6 Dec 2024 10:46:49 -0500 Subject: [PATCH 03/22] issue #172: vault integration --- .../workflows/workflow-detect-secret-leaks.yml | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml index 11f5325..efc206b 100644 --- a/.github/workflows/workflow-detect-secret-leaks.yml +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -16,23 +16,15 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - - name: Authenticate with Vault using GitHub OIDC - id: vault_auth + # https://github.com/hashicorp/vault-action?tab=readme-ov-file#multiple-secrets + # https://github.com/hashicorp/vault-action?tab=readme-ov-file#example-usage + - name: Authenticate with Vault using GitHub OIDC and retrieve secrets uses: hashicorp/vault-action@v2.4.0 with: url: http://vault.vault.svc.cluster.local:8200 caCertificate: ${{ secrets.VAULT_CA_CERT }} method: github githubToken: ${{ secrets.VAULT_TOKEN }} - - # https://github.com/hashicorp/vault-action?tab=readme-ov-file#multiple-secrets - - name: Retrieve secrets from Vault - id: get_secrets - uses: hashicorp/vault-action@v2.4.0 - with: - url: ${{ secrets.VAULT_ADDR }} - method: jwt - role: github-actions secrets: | secret/kv/fertiscan/frontend * | API_KEY_ ; secret/kv/fertiscan/frontend * | API_KEY_ ; @@ -40,8 +32,6 @@ jobs: secret/kv/fertiscan-dev * | API_KEY_ ; secret/kv/nachet * | API_KEY_ ; secret/kv/finesse * | API_KEY_ - env: - VAULT_TOKEN: ${{ steps.vault_auth.outputs.vault_token }} - name: Install git-secrets run: | From 5721e30f73278a43c1c9f44d1de0cdc52cabd156 Mon Sep 17 00:00:00 2001 From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com> Date: Fri, 6 Dec 2024 10:53:26 -0500 Subject: [PATCH 04/22] issue #172: vault integration --- .github/workflows/workflow-detect-secret-leaks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml index efc206b..39f38c5 100644 --- a/.github/workflows/workflow-detect-secret-leaks.yml +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -22,7 +22,7 @@ jobs: uses: hashicorp/vault-action@v2.4.0 with: url: http://vault.vault.svc.cluster.local:8200 - caCertificate: ${{ secrets.VAULT_CA_CERT }} + # caCertificate: ${{ secrets.VAULT_CA_CERT }} method: github githubToken: ${{ secrets.VAULT_TOKEN }} secrets: | From 8f094788a30cc59fcdf407d9e87f28e316b1188e Mon Sep 17 00:00:00 2001 From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com> Date: Fri, 6 Dec 2024 10:54:53 -0500 Subject: [PATCH 05/22] issue #172: vault integration --- .github/workflows/workflow-detect-secret-leaks.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml index 39f38c5..0ac6839 100644 --- a/.github/workflows/workflow-detect-secret-leaks.yml +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -24,6 +24,7 @@ jobs: url: http://vault.vault.svc.cluster.local:8200 # caCertificate: ${{ secrets.VAULT_CA_CERT }} method: github + tlsSkipVerify: true githubToken: ${{ secrets.VAULT_TOKEN }} secrets: | secret/kv/fertiscan/frontend * | API_KEY_ ; From a20c6aaf78d67496aa71315cb524a6cf6440532c Mon Sep 17 00:00:00 2001 From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com> Date: Fri, 6 Dec 2024 10:56:47 -0500 Subject: [PATCH 06/22] issue #172: vault integration --- .github/workflows/workflow-detect-secret-leaks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml index 0ac6839..2b0442b 100644 --- a/.github/workflows/workflow-detect-secret-leaks.yml +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -21,7 +21,7 @@ jobs: - name: Authenticate with Vault using GitHub OIDC and retrieve secrets uses: hashicorp/vault-action@v2.4.0 with: - url: http://vault.vault.svc.cluster.local:8200 + url: http://vault.vault:8200 # caCertificate: ${{ secrets.VAULT_CA_CERT }} method: github tlsSkipVerify: true From b6d56479279f1fa1ae4338ef13bb2edd58aa1b59 Mon Sep 17 00:00:00 2001 From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com> Date: Fri, 6 Dec 2024 10:58:34 -0500 Subject: [PATCH 07/22] issue #172: vault integration --- .github/workflows/workflow-detect-secret-leaks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml index 2b0442b..ac7db26 100644 --- a/.github/workflows/workflow-detect-secret-leaks.yml +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -21,7 +21,7 @@ jobs: - name: Authenticate with Vault using GitHub OIDC and retrieve secrets uses: hashicorp/vault-action@v2.4.0 with: - url: http://vault.vault:8200 + url: https://vault.vault:8200 # caCertificate: ${{ secrets.VAULT_CA_CERT }} method: github tlsSkipVerify: true From 98b7727f546689d8176c48820940fcb35ccf49e6 Mon Sep 17 00:00:00 2001 From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com> Date: Fri, 6 Dec 2024 11:04:20 -0500 Subject: [PATCH 08/22] issue #172: vault integration --- .github/workflows/workflow-detect-secret-leaks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml index ac7db26..39ff223 100644 --- a/.github/workflows/workflow-detect-secret-leaks.yml +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -21,7 +21,7 @@ jobs: - name: Authenticate with Vault using GitHub OIDC and retrieve secrets uses: hashicorp/vault-action@v2.4.0 with: - url: https://vault.vault:8200 + url: https://vault.vault.svc.cluster.local:8200 # caCertificate: ${{ secrets.VAULT_CA_CERT }} method: github tlsSkipVerify: true From 93428d3e77f085a62ea63064c2fc24574ada6990 Mon Sep 17 00:00:00 2001 From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com> Date: Fri, 6 Dec 2024 11:05:39 -0500 Subject: [PATCH 09/22] issue #172: see if login works --- .github/workflows/workflow-detect-secret-leaks.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml index 39ff223..5330de6 100644 --- a/.github/workflows/workflow-detect-secret-leaks.yml +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -26,13 +26,13 @@ jobs: method: github tlsSkipVerify: true githubToken: ${{ secrets.VAULT_TOKEN }} - secrets: | - secret/kv/fertiscan/frontend * | API_KEY_ ; - secret/kv/fertiscan/frontend * | API_KEY_ ; - secret/kv/fertiscan/database * | API_KEY_ ; - secret/kv/fertiscan-dev * | API_KEY_ ; - secret/kv/nachet * | API_KEY_ ; - secret/kv/finesse * | API_KEY_ + # secrets: | + # secret/kv/fertiscan/frontend * | API_KEY_ ; + # secret/kv/fertiscan/frontend * | API_KEY_ ; + # secret/kv/fertiscan/database * | API_KEY_ ; + # secret/kv/fertiscan-dev * | API_KEY_ ; + # secret/kv/nachet * | API_KEY_ ; + # secret/kv/finesse * | API_KEY_ - name: Install git-secrets run: | From aa4441e42ccd0632d309de3265bf84bbef4620a2 Mon Sep 17 00:00:00 2001 From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com> Date: Fri, 6 Dec 2024 11:06:40 -0500 Subject: [PATCH 10/22] issue #172: typo --- .github/workflows/workflow-detect-secret-leaks.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml index 5330de6..e1cc7a0 100644 --- a/.github/workflows/workflow-detect-secret-leaks.yml +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -26,13 +26,13 @@ jobs: method: github tlsSkipVerify: true githubToken: ${{ secrets.VAULT_TOKEN }} - # secrets: | - # secret/kv/fertiscan/frontend * | API_KEY_ ; - # secret/kv/fertiscan/frontend * | API_KEY_ ; - # secret/kv/fertiscan/database * | API_KEY_ ; - # secret/kv/fertiscan-dev * | API_KEY_ ; - # secret/kv/nachet * | API_KEY_ ; - # secret/kv/finesse * | API_KEY_ + secrets: | + secrets/kv/fertiscan/frontend * | API_KEY_ ; + secrets/kv/fertiscan/frontend * | API_KEY_ ; + secrets/kv/fertiscan/database * | API_KEY_ ; + secrets/kv/fertiscan-dev * | API_KEY_ ; + secrets/kv/nachet * | API_KEY_ ; + secrets/kv/finesse * | API_KEY_ - name: Install git-secrets run: | From fafd5281e6906bb8c4411288a4379ae2407762fe Mon Sep 17 00:00:00 2001 From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com> Date: Fri, 6 Dec 2024 11:21:47 -0500 Subject: [PATCH 11/22] issue #172: typo --- .github/workflows/workflow-detect-secret-leaks.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml index e1cc7a0..649d6ff 100644 --- a/.github/workflows/workflow-detect-secret-leaks.yml +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -27,12 +27,11 @@ jobs: tlsSkipVerify: true githubToken: ${{ secrets.VAULT_TOKEN }} secrets: | - secrets/kv/fertiscan/frontend * | API_KEY_ ; - secrets/kv/fertiscan/frontend * | API_KEY_ ; - secrets/kv/fertiscan/database * | API_KEY_ ; - secrets/kv/fertiscan-dev * | API_KEY_ ; - secrets/kv/nachet * | API_KEY_ ; - secrets/kv/finesse * | API_KEY_ + kv/data/fertiscan/backend * | API_KEY_ ; + kv/data/fertiscan/database * | API_KEY_ ; + kv/data/fertiscan-dev * | API_KEY_ ; + kv/data/nachet * | API_KEY_ ; + kv/data/finesse * | API_KEY_ - name: Install git-secrets run: | From 5e6eb7ca6fa5f24b60529efda6ed7e5b599f058d Mon Sep 17 00:00:00 2001 From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com> Date: Fri, 6 Dec 2024 11:26:01 -0500 Subject: [PATCH 12/22] issue #172: typo --- .github/workflows/workflow-detect-secret-leaks.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml index 649d6ff..1f17a2d 100644 --- a/.github/workflows/workflow-detect-secret-leaks.yml +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -22,16 +22,12 @@ jobs: uses: hashicorp/vault-action@v2.4.0 with: url: https://vault.vault.svc.cluster.local:8200 - # caCertificate: ${{ secrets.VAULT_CA_CERT }} method: github tlsSkipVerify: true githubToken: ${{ secrets.VAULT_TOKEN }} secrets: | kv/data/fertiscan/backend * | API_KEY_ ; - kv/data/fertiscan/database * | API_KEY_ ; - kv/data/fertiscan-dev * | API_KEY_ ; - kv/data/nachet * | API_KEY_ ; - kv/data/finesse * | API_KEY_ + - name: Install git-secrets run: | From 9ab9f9a71ba509bd4a06d889cf487f8e2a51f3f1 Mon Sep 17 00:00:00 2001 From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com> Date: Fri, 6 Dec 2024 11:28:30 -0500 Subject: [PATCH 13/22] issue #172: typo --- .github/workflows/workflow-detect-secret-leaks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml index 1f17a2d..8fa7a73 100644 --- a/.github/workflows/workflow-detect-secret-leaks.yml +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -26,7 +26,7 @@ jobs: tlsSkipVerify: true githubToken: ${{ secrets.VAULT_TOKEN }} secrets: | - kv/data/fertiscan/backend * | API_KEY_ ; + kv/data/fertiscan/backend `*` | API_KEY_ ; - name: Install git-secrets From 727f632b177fe07e1afdb0f2a6fc51e6f80a1d5b Mon Sep 17 00:00:00 2001 From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com> Date: Fri, 6 Dec 2024 11:29:34 -0500 Subject: [PATCH 14/22] issue #172: test --- .github/workflows/workflow-detect-secret-leaks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml index 8fa7a73..cba56e8 100644 --- a/.github/workflows/workflow-detect-secret-leaks.yml +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -26,7 +26,7 @@ jobs: tlsSkipVerify: true githubToken: ${{ secrets.VAULT_TOKEN }} secrets: | - kv/data/fertiscan/backend `*` | API_KEY_ ; + kv/data/fertiscan/backend `AZURE_OPENAI_KEY` | API_KEY_ ; - name: Install git-secrets From 7a901848f44bb78303b319b56271abff2873c7a1 Mon Sep 17 00:00:00 2001 From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com> Date: Fri, 6 Dec 2024 11:32:15 -0500 Subject: [PATCH 15/22] issue #172: test --- .github/workflows/workflow-detect-secret-leaks.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml index cba56e8..5f91009 100644 --- a/.github/workflows/workflow-detect-secret-leaks.yml +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -19,15 +19,14 @@ jobs: # https://github.com/hashicorp/vault-action?tab=readme-ov-file#multiple-secrets # https://github.com/hashicorp/vault-action?tab=readme-ov-file#example-usage - name: Authenticate with Vault using GitHub OIDC and retrieve secrets - uses: hashicorp/vault-action@v2.4.0 + uses: hashicorp/vault-action@v3.0.0 with: url: https://vault.vault.svc.cluster.local:8200 method: github tlsSkipVerify: true githubToken: ${{ secrets.VAULT_TOKEN }} secrets: | - kv/data/fertiscan/backend `AZURE_OPENAI_KEY` | API_KEY_ ; - + kv/data/fertiscan/backend * | HGHACTIONKEY_; - name: Install git-secrets run: | @@ -44,7 +43,7 @@ jobs: - name: Add API keys to git-secrets run: | - for var in $(compgen -e API_KEY_); do + for var in $(compgen -e HGHACTIONKEY_); do git secrets --add --literal "${!var}" done From e8e3769b014a3ccb16efa952c6ee2a811a54ac64 Mon Sep 17 00:00:00 2001 From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com> Date: Fri, 6 Dec 2024 11:40:27 -0500 Subject: [PATCH 16/22] issue #172: missing make --- .github/workflows/workflow-detect-secret-leaks.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml index 5f91009..ccb98f1 100644 --- a/.github/workflows/workflow-detect-secret-leaks.yml +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -26,12 +26,12 @@ jobs: tlsSkipVerify: true githubToken: ${{ secrets.VAULT_TOKEN }} secrets: | - kv/data/fertiscan/backend * | HGHACTIONKEY_; + kv/data/test * | VAULTACTIONKEY_; - name: Install git-secrets run: | sudo apt-get update - sudo apt-get install -y git + sudo apt-get install -y git build-essential git clone https://github.com/awslabs/git-secrets.git cd git-secrets sudo make install @@ -43,7 +43,7 @@ jobs: - name: Add API keys to git-secrets run: | - for var in $(compgen -e HGHACTIONKEY_); do + for var in $(compgen -e VAULTACTIONKEY_); do git secrets --add --literal "${!var}" done From 2d4d8b56027a059d6c93d02df70d601c2ad833f4 Mon Sep 17 00:00:00 2001 From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com> Date: Fri, 6 Dec 2024 11:42:06 -0500 Subject: [PATCH 17/22] issue #172: removed unused step --- .github/workflows/workflow-detect-secret-leaks.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml index ccb98f1..36a83b0 100644 --- a/.github/workflows/workflow-detect-secret-leaks.yml +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -35,11 +35,6 @@ jobs: git clone https://github.com/awslabs/git-secrets.git cd git-secrets sudo make install - git secrets --version - - - name: Configure git-secrets - run: | - git secrets --install - name: Add API keys to git-secrets run: | From f1a2a93391d782a5ee6f2d3a808004ffa4c84023 Mon Sep 17 00:00:00 2001 From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com> Date: Fri, 6 Dec 2024 11:44:27 -0500 Subject: [PATCH 18/22] issue #172: pushing secrets lol --- .env | 2 ++ .github/workflows/workflow-detect-secret-leaks.yml | 5 +++++ 2 files changed, 7 insertions(+) create mode 100644 .env diff --git a/.env b/.env new file mode 100644 index 0000000..2660a91 --- /dev/null +++ b/.env @@ -0,0 +1,2 @@ +MY_API_KEY=super-secret-api-key +MY_SUPER_SECRET_PASSWORD=this-is-my-password diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml index 36a83b0..b86043e 100644 --- a/.github/workflows/workflow-detect-secret-leaks.yml +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -27,6 +27,11 @@ jobs: githubToken: ${{ secrets.VAULT_TOKEN }} secrets: | kv/data/test * | VAULTACTIONKEY_; + kv/data/fertiscan/backend * | VAULTACTIONKEY_; + kv/data/fertiscan/database * | VAULTACTIONKEY_; + kv/data/fertiscan-dev * | VAULTACTIONKEY_; + kv/data/nachet * | VAULTACTIONKEY_; + kv/data/finesse * | VAULTACTIONKEY_ - name: Install git-secrets run: | From 8d5d4a14798dd166365aa0c0a00bfe0159ae650a Mon Sep 17 00:00:00 2001 From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com> Date: Fri, 6 Dec 2024 12:02:03 -0500 Subject: [PATCH 19/22] issue #172: fix --- .github/workflows/workflow-detect-secret-leaks.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml index b86043e..2c61b25 100644 --- a/.github/workflows/workflow-detect-secret-leaks.yml +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -43,8 +43,15 @@ jobs: - name: Add API keys to git-secrets run: | + set +H + set -f for var in $(compgen -e VAULTACTIONKEY_); do - git secrets --add --literal "${!var}" + value="${!var}" + if [ -n "$value" ]; then + git secrets --add --literal -- "$value" || echo "git secrets failed for variable $var" >&2 + else + echo "Skipping empty variable $var" + fi done - name: Scan repository for secrets From dfea83aaa2df8645eaa44fb6a51fe456a3193ed5 Mon Sep 17 00:00:00 2001 From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com> Date: Fri, 6 Dec 2024 12:05:23 -0500 Subject: [PATCH 20/22] issue #172: fix --- .github/workflows/workflow-detect-secret-leaks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml index 2c61b25..ce7c15b 100644 --- a/.github/workflows/workflow-detect-secret-leaks.yml +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -48,7 +48,7 @@ jobs: for var in $(compgen -e VAULTACTIONKEY_); do value="${!var}" if [ -n "$value" ]; then - git secrets --add --literal -- "$value" || echo "git secrets failed for variable $var" >&2 + git secrets --add --literal "$value" || echo "git secrets failed for variable $var" >&2 else echo "Skipping empty variable $var" fi From 06a483a1b6166e9c9aa6e627dd3b5f740fc5d08b Mon Sep 17 00:00:00 2001 From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com> Date: Fri, 6 Dec 2024 12:07:07 -0500 Subject: [PATCH 21/22] issue #172: fix --- .github/workflows/workflow-detect-secret-leaks.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml index ce7c15b..369633f 100644 --- a/.github/workflows/workflow-detect-secret-leaks.yml +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -30,8 +30,6 @@ jobs: kv/data/fertiscan/backend * | VAULTACTIONKEY_; kv/data/fertiscan/database * | VAULTACTIONKEY_; kv/data/fertiscan-dev * | VAULTACTIONKEY_; - kv/data/nachet * | VAULTACTIONKEY_; - kv/data/finesse * | VAULTACTIONKEY_ - name: Install git-secrets run: | From 8a955d2c4ae25eb718b252186d20c8052dc995eb Mon Sep 17 00:00:00 2001 From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com> Date: Fri, 6 Dec 2024 12:21:50 -0500 Subject: [PATCH 22/22] issue #172: fix --- .github/workflows/workflow-detect-secret-leaks.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml index 369633f..2b45bb1 100644 --- a/.github/workflows/workflow-detect-secret-leaks.yml +++ b/.github/workflows/workflow-detect-secret-leaks.yml @@ -27,9 +27,6 @@ jobs: githubToken: ${{ secrets.VAULT_TOKEN }} secrets: | kv/data/test * | VAULTACTIONKEY_; - kv/data/fertiscan/backend * | VAULTACTIONKEY_; - kv/data/fertiscan/database * | VAULTACTIONKEY_; - kv/data/fertiscan-dev * | VAULTACTIONKEY_; - name: Install git-secrets run: |