From b84f2a092df0b3545a7c4f5e0628cc0250532926 Mon Sep 17 00:00:00 2001
From: Kay Hau <virtualda@gmail.com>
Date: Sat, 11 Nov 2023 15:07:20 +1100
Subject: [PATCH] Added .github/workflows/secrets-scan.yml

---
 .../workflows/build-test-common-helper.yaml   |  2 +-
 .github/workflows/secrets-scan.yml            | 32 +++++++++++++++++++
 CHANGELOG.md                                  |  7 +++-
 README.md                                     | 14 ++++----
 4 files changed, 47 insertions(+), 8 deletions(-)
 create mode 100644 .github/workflows/secrets-scan.yml

diff --git a/.github/workflows/build-test-common-helper.yaml b/.github/workflows/build-test-common-helper.yaml
index b1503d9e..a8251fda 100644
--- a/.github/workflows/build-test-common-helper.yaml
+++ b/.github/workflows/build-test-common-helper.yaml
@@ -1,4 +1,4 @@
-name: Build-Test
+name: Common Helper - build-and-test
 
 on:
   push:
diff --git a/.github/workflows/secrets-scan.yml b/.github/workflows/secrets-scan.yml
new file mode 100644
index 00000000..dc6c61e6
--- /dev/null
+++ b/.github/workflows/secrets-scan.yml
@@ -0,0 +1,32 @@
+name: Secrets Scan
+
+on: [pull_request, push, workflow_dispatch]
+
+jobs:
+  Gitleaks:
+    name: Gitleaks Secrets Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Gitleaks Action
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}  # Only required for Organizations, not personal accounts
+
+  TruffleHog:
+    name: TruffleHog Secrets Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: TruffleHog OSS
+        uses: trufflesecurity/trufflehog@main
+        with:
+          path: ./
+          base: ${{ github.event.repository.default_branch }}
+          head: HEAD
+          extra_args: --debug --only-verified
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5972316e..3727d4db 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,13 +2,18 @@
 
 All notable changes to this project will be documented in this file.
 
+## 2023-11-11
+
+### Added
+
+   * Added .github/workflows/secrets-scan.yml
+
 ## 2023-11-03
 
 ### Added
 
    * Added IAM/account_id_from_access_key.py
 
-
 ## 2023-10-25
 
 ### Changed
diff --git a/README.md b/README.md
index 746dcc65..4efa99c4 100644
--- a/README.md
+++ b/README.md
@@ -1,9 +1,10 @@
 # aws-tools
 
-[![githubactions](https://github.com/kyhau/aws-tools/workflows/Build-Test/badge.svg)](https://github.com/kyhau/aws-tools/actions/workflows/build-test-common-helper.yaml)
-[![githubactions](https://github.com/kyhau/aws-tools/workflows/Lint/badge.svg)](https://github.com/kyhau/aws-tools/actions/workflows/lint.yaml)
+[![githubactions](https://github.com/kyhau/aws-tools/actions/workflows/build-test-common-helper/badge.svg)](https://github.com/kyhau/aws-tools/actions/workflows/build-test-common-helper.yaml)
+[![githubactions](https://github.com/kyhau/aws-tools/actions/workflows/lint.yaml/badge.svg)](https://github.com/kyhau/aws-tools/actions/workflows/lint.yaml)
 [![codecov](https://codecov.io/gh/kyhau/aws-tools/branch/main/graph/badge.svg)](https://codecov.io/gh/kyhau/aws-tools)
-[![CodeQL](https://github.com/kyhau/aws-tools/workflows/CodeQL/badge.svg)](https://github.com/kyhau/aws-tools/actions/workflows/codeql-analysis.yml)
+[![CodeQL](https://github.com/kyhau/aws-tools/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/kyhau/aws-tools/actions/workflows/codeql-analysis.yml)
+[![SecretsScan](https://github.com/kyhau/aws-tools/actions/workflows/secrets-scan.yml/badge.svg)](https://github.com/kyhau/aws-tools/actions/workflows/secrets-scan.yml)
 
 This repository includes some tools and sample code I created for building with AWS.
 
@@ -13,10 +14,11 @@ All notable changes to this project will be documented in [CHANGELOG](./CHANGELO
 ## Built with
 - Python, Shell, PowerShell, JavaScript, TypeScript, Go, Docker
 - [AWS CDK v2](https://docs.aws.amazon.com/cdk/v2/guide/home.html), [AWS SAM](https://aws.amazon.com/serverless/sam/)
-- [cfn-lint](https://github.com/aws-cloudformation/cfn-lint) is used to validate CloudFormation templates in this repository.
+- [cfn-lint](https://github.com/aws-cloudformation/cfn-lint) is used for to validating CloudFormation templates.
 - [CodeQL](https://codeql.github.com) is [enabled](.github/workflows/codeql-analysis.yml) in this repository.
-- [Dependabot version updates](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates) is [enabled](.github/dependabot.yml) in this repository.
-- [Snyk](https://github.com/snyk/actions) is enabled in the GitHub Actions [workflow](.github/workflows/build-test-common-helper.yaml).
+- [Dependabot](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates) is [enabled](.github/dependabot.yml) for auto dependency updates.
+- [Snyk](https://github.com/snyk/actions) is enabled in this GitHub Actions [workflow](.github/workflows/build-test-common-helper.yaml) for vulnerability scanning and auto pull-request.
+- [Gitleaks](https://github.com/gitleaks/gitleaks) and [TruffleHog](https://github.com/trufflesecurity/trufflehog) are enabled in this GitHub Actions [workflow](.github/workflows/secrets-scan.yml) for secrets scanning.
 
 ---
 ## AWS login