-
Notifications
You must be signed in to change notification settings - Fork 277
57 lines (48 loc) · 1.6 KB
/
gitleaks.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
name: "Gitleaks"
on:
pull_request:
env:
GIT_GITLEAKS_VERSION: 8.18.4
ACTIONS_STEP_DEBUG: '${{ secrets.ACTIONS_STEP_DEBUG }}'
jobs:
gitleaks:
name: "Gitleaks"
runs-on: ubuntu-latest
steps:
- uses: hmarr/[email protected]
- name: Configure gitleaks binary cache
id: cache
uses: actions/cache@v4
with:
path: /usr/local/bin/gitleaks
key: gitleaks-${{ env.GIT_GITLEAKS_VERSION }}
- name: Install tools
if: steps.cache.outputs.cache-hit != 'true'
run: |
wget -O - \
"https://github.com/zricethezav/gitleaks/releases/download/v${{ env.GIT_GITLEAKS_VERSION }}/gitleaks_${{ env.GIT_GITLEAKS_VERSION }}_linux_x64.tar.gz" \
| sudo tar xzf - -C /usr/local/bin
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha || github.event.after }}
- name: Run gitleaks
run: |
set -euo pipefail ${ACTIONS_STEP_DEBUG:+-x}
gitleaks \
detect \
--source="." \
--redact \
-v \
--exit-code=2 \
--report-format=sarif \
--report-path=results.sarif \
--log-level=debug \
--log-opts='${{ github.event.pull_request.base.sha || github.event.before }}..${{ github.event.pull_request.head.sha || github.event.after }}'
- name: Upload test results
if: failure()
uses: actions/upload-artifact@v4
with:
name: GitLeaks results
path: results.sarif