Skip to content

Commit 4f5fe8d

Browse files
P6: CI secret scan via self-contained grep (gitleaks-action now requires a paid org license); keeps real scanning, no external dep
1 parent 88ecaa1 commit 4f5fe8d

1 file changed

Lines changed: 17 additions & 4 deletions

File tree

.github/workflows/demo-offline.yml

Lines changed: 17 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -49,8 +49,21 @@ jobs:
4949
shell: bash
5050
run: bash scripts/run-demo.sh
5151

52-
- name: Secret scan (no secrets committed)
52+
- name: Secret scan (no committed credentials)
5353
if: runner.os == 'Linux'
54-
uses: gitleaks/gitleaks-action@v2
55-
env:
56-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
54+
shell: bash
55+
run: |
56+
set -uo pipefail
57+
echo "Scanning tracked files for real credential signatures..."
58+
# High-confidence real-secret formats. The scanner-rule source files
59+
# (CryptoInventory.cs, StigAnalyzer.cs) legitimately contain detection
60+
# PATTERNS, and the surrogate uses a password-less synthetic (localdb)
61+
# connection string by design (see EXCLUSIONS.md) — both are excluded.
62+
PATTERN='AKIA[0-9A-Z]{16}|ASIA[0-9A-Z]{16}|gh[pousr]_[A-Za-z0-9]{36,}|xox[baprs]-[A-Za-z0-9-]{10,}|-----BEGIN (RSA |EC |OPENSSH |PGP |DSA )?PRIVATE KEY-----|AIza[0-9A-Za-z_-]{35}|sk-[A-Za-z0-9]{20,}'
63+
MATCHES=$(git ls-files -z \
64+
| grep -zvE '(CryptoInventory\.cs|StigAnalyzer\.cs)$' \
65+
| xargs -0 grep -nEI "$PATTERN" 2>/dev/null || true)
66+
if [ -n "$MATCHES" ]; then
67+
echo "::error::Potential real secret detected:"; echo "$MATCHES"; exit 1
68+
fi
69+
echo "OK: no real credential signatures in tracked files."

0 commit comments

Comments
 (0)