mirror of
https://github.com/containers/podman
synced 2024-10-18 16:24:34 +00:00
Make leak-detection readable by humans
Previously when a leak was detected under any circumstance, the workflow would splat out a giant wall of gray, unreadable git-log text. This often enormous text might contain, somewhere, possibly, maybe, a little tiny snippet of code that leaks a secret. Improve the situation greatly by providing easy-to-use URLs that covers the relevant changes based on the triggering context (new pr, force-push, or merge). Store the former (often) giant git-log output into a file and stuff it into the artifacts in case it's ever useful. Signed-off-by: Chris Evich <cevich@redhat.com>
This commit is contained in:
parent
4370932a71
commit
28856b6c15
34
.github/workflows/scan-secrets.yml
vendored
34
.github/workflows/scan-secrets.yml
vendored
|
@ -73,6 +73,28 @@ jobs:
|
|||
run: |
|
||||
echo "depth=$((${{ github.event.pull_request.commits }} + 1))" >> $GITHUB_OUTPUT
|
||||
|
||||
# A force-push to a PR can obscure Cirrus-CI logs, but not GHA logs.
|
||||
# Provide handy URL for examination of secret leaks for all events that
|
||||
# trigger this action.
|
||||
|
||||
- if: github.event_name == 'synchronize' || github.base_ref == ''
|
||||
name: Provide URL showing code that needs human eyes (force-push or merge)
|
||||
shell: bash
|
||||
run: |
|
||||
echo "Please review force-push or merged-pr changes for secret-leaks:"
|
||||
before=$(jq -r -e '.before' $GITHUB_EVENT_PATH)
|
||||
after=$(jq -r -e '.after' $GITHUB_EVENT_PATH)
|
||||
echo "https://github.com/${{ github.repository }}/compare/${before}...${after}"
|
||||
|
||||
- if: github.event_name == 'opened'
|
||||
name: Provide URL showing code that needs human eyes (newly opened PR)
|
||||
shell: bash
|
||||
run: |
|
||||
echo "Please review new PR changes for secret-leaks:"
|
||||
before=$(jq -r -e '.github.event.pull_request.base.sha' $GITHUB_EVENT_PATH)
|
||||
after=$(jq -r -e '.github.event.pull_request.head.sha' $GITHUB_EVENT_PATH)
|
||||
echo "https://github.com/${{ github.repository }}/compare/${before}...${after}"
|
||||
|
||||
- name: Show important context details
|
||||
shell: bash
|
||||
run: |
|
||||
|
@ -123,12 +145,11 @@ jobs:
|
|||
mkdir ${{ github.workspace }}/_report
|
||||
touch ${{ github.workspace }}/_report/gitleaks-report.json
|
||||
|
||||
# A force-push to a PR can obscure Cirrus-CI logs, but not GHA logs
|
||||
- name: Show content being scanned
|
||||
- name: Log all content being scanned to file for archiving
|
||||
shell: bash
|
||||
run: |
|
||||
set -exuo pipefail
|
||||
${{ env.gitlogcmd }} ${{ steps.gitlog.outputs.range }}
|
||||
${{ env.gitlogcmd }} ${{ steps.gitlog.outputs.range }} >> ${{ github.workspace }}/git_commits.log
|
||||
|
||||
# Unfortunately gitleaks provides several in-built ways to
|
||||
# completely bypass an alert within PR-level commits. Assume
|
||||
|
@ -183,12 +204,15 @@ jobs:
|
|||
$glfqin \
|
||||
detect $glargs --log-opts=${{ steps.gitlog.outputs.range }}
|
||||
|
||||
- name: Collect scan report artifact
|
||||
- name: Collect git commits log and gitleaks scan report
|
||||
if: ${{ !cancelled() }}
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: gitleaks-report
|
||||
path: ${{ github.workspace }}/_report/gitleaks-report.json
|
||||
path: |
|
||||
${{ github.event_path }}
|
||||
${{ github.workspace }}/git_commits.log
|
||||
${{ github.workspace }}/_report/gitleaks-report.json
|
||||
|
||||
# Nobody monitors the actions-tab for failures, and may not see this
|
||||
# fail on push to a nefarious PR. Send an e-mail alert to unmask
|
||||
|
|
Loading…
Reference in a new issue