From ca3be7550d56027c4097dac36a47ac3ed2d5b5fe Mon Sep 17 00:00:00 2001 From: VMware CLA-Admin Bot Date: Thu, 13 Feb 2025 23:56:30 -0800 Subject: [PATCH] Update secrets-scanning-report.yml --- .github/workflows/secrets-scanning-report.yml | 100 +++++++++--------- 1 file changed, 51 insertions(+), 49 deletions(-) diff --git a/.github/workflows/secrets-scanning-report.yml b/.github/workflows/secrets-scanning-report.yml index 5c12475..4058c1e 100644 --- a/.github/workflows/secrets-scanning-report.yml +++ b/.github/workflows/secrets-scanning-report.yml @@ -23,41 +23,46 @@ on: - WARNING - ERROR default: 'INFO' + alert_threshold: + description: 'Number of active alerts to trigger issue creation' + required: false + type: number + default: 10 # Default threshold schedule: - - cron: '0 0 * * 1' # Weekly on Monday at midnight + - cron: '0 0 * * 1' permissions: - security-events: read # Required for secret scanning API - contents: read # Required for checking out code - actions: write # Required for artifact upload - issues: write # Required for creating issues on failure + security-events: read + contents: read + actions: write + issues: write jobs: generate-report: runs-on: ubuntu-latest - + steps: - name: Checkout code uses: actions/checkout@v4 with: fetch-depth: 1 - + - name: Set up Python uses: actions/setup-python@v4 with: - python-version: '3.11' # Updated to latest stable Python + python-version: '3.11' cache: 'pip' - cache-dependency-path: scripts/requirements.txt # Pointing to the 'scripts' directory - + cache-dependency-path: scripts/requirements.txt + - name: Install dependencies run: | python -m pip install --upgrade pip - pip install -r scripts/requirements.txt # Install dependencies from the 'scripts' directory + pip install -r scripts/requirements.txt - name: Generate timestamp id: timestamp run: echo "timestamp=$(date +%Y%m%d_%H%M%S)" >> $GITHUB_OUTPUT - + - name: Generate Secret Report id: generate-report env: @@ -65,10 +70,7 @@ jobs: ORGANIZATION: ${{ github.repository_owner }} REPORT_FILE: "secret_report_${{ steps.timestamp.outputs.timestamp }}.csv" run: | - # Create output directory mkdir -p reports - - # Run the scanner with configured parameters python ./scripts/github_secret_scanner.py \ --org "$ORGANIZATION" \ --token "$GITHUB_TOKEN" \ @@ -77,10 +79,8 @@ jobs: --max-workers ${{ inputs.max_workers || 10 }} \ --max-retries 3 \ ${{ inputs.include_inactive && '--include-inactive' || '' }} - - # Save report path for later steps echo "report_path=reports/${REPORT_FILE}" >> $GITHUB_OUTPUT - + - name: Upload report uses: actions/upload-artifact@v4 if: success() @@ -89,23 +89,19 @@ jobs: path: ${{ steps.generate-report.outputs.report_path }} retention-days: 30 if-no-files-found: error - - - name: Process report statistics - if: success() + + - name: Process report statistics (inline) id: stats + if: success() run: | - total_alerts=$(python scripts/process_report.py --input ${{ steps.generate-report.outputs.report_path }} --count) - active_alerts=$(python scripts/process_report.py --input ${{ steps.generate-report.outputs.report_path }} --active) - - echo "Total alerts found: $total_alerts" - echo "Active alerts: $active_alerts" - - # Save stats for issue creation - echo "total_alerts=$total_alerts" >> $GITHUB_OUTPUT - echo "active_alerts=$active_alerts" >> $GITHUB_OUTPUT - - - name: Create summary issue - if: success() && ${{ steps.stats.outputs.active_alerts > 10 }} + STATS=$(grep "__STATS_START__" ${{ steps.generate-report.outputs.report_path }}/../output.txt | sed 's/__STATS_START__//' | sed 's/__STATS_END__//') + echo "total_alerts=$(echo $STATS | cut -d',' -f1 | cut -d'=' -f2)" >> $GITHUB_OUTPUT + echo "active_alerts=$(echo $STATS | cut -d',' -f2 | cut -d'=' -f2)" >> $GITHUB_OUTPUT + echo "Total alerts found: $(echo $STATS | cut -d',' -f1 | cut -d'=' -f2)" + echo "Active alerts: $(echo $STATS | cut -d',' -f2 | cut -d'=' -f2)" + + - name: Create summary issue (using github-script) + if: success() && steps.stats.outputs.active_alerts > inputs.alert_threshold uses: actions/github-script@v7 with: script: | @@ -113,30 +109,38 @@ jobs: total: '${{ steps.stats.outputs.total_alerts }}', active: '${{ steps.stats.outputs.active_alerts }}' }; - + + const now = new Date(); + const formattedDate = now.toLocaleDateString('en-US', { + year: 'numeric', + month: 'long', + day: 'numeric' + }); + const body = ` # Secret Scanning Report Summary - - Report generated on: ${new Date().toISOString()} - + + Report generated on: ${now.toISOString()} + ## Statistics - Total alerts analyzed: ${stats.total} - Active alerts found: ${stats.active} - + ## Details - Report artifact: [Download report](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}) - Workflow run: [View details](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}) - + ## Configuration - Include inactive alerts: ${{ inputs.include_inactive || 'false' }} - Max workers: ${{ inputs.max_workers || '10' }} - Log level: ${{ inputs.log_level || 'INFO' }} + - Alert threshold: ${{ inputs.alert_threshold || '10'}} `; - + await github.rest.issues.create({ owner: context.repo.owner, repo: context.repo.repo, - title: `📊 Secret Scanning Report - ${new Date().toISOString().split('T')[0]}`, + title: \`📊 Secret Scanning Report - \${formattedDate}\`, body: body, labels: ['secret-scanning', 'report'] }); @@ -148,21 +152,21 @@ jobs: script: | const body = ` # 🚨 Secret Scanning Report Generation Failed - + Workflow run failed at ${new Date().toISOString()} - + ## Details - Run ID: \`${context.runId}\` - Trigger: ${context.eventName} - Actor: @${context.actor} - + ## Links - [View run details](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}) - [View workflow file](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/blob/main/.github/workflows/secret-scanning-report.yml) - + Please check the workflow logs for detailed error information. `; - + await github.rest.issues.create({ owner: context.repo.owner, repo: context.repo.repo, @@ -170,11 +174,10 @@ jobs: body: body, labels: ['secret-scanning', 'failed'] }); - + - name: Clean up if: always() run: | - # Securely remove any sensitive files if [ -d "reports" ]; then find reports -type f -exec shred -u {} \; rm -rf reports @@ -183,4 +186,3 @@ jobs: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -