Merge pull request #21459 from cevich/simpler_to_read

[skip-ci] Make leak-detection readable by humans
2025-07-02 08:47:43 +08:00 · 2024-01-31 21:09:41 +00:00
parent f7afaf9652 28856b6c15
commit 4fde98f380
1 changed files with 29 additions and 5 deletions
--- a/.github/workflows/scan-secrets.yml
+++ b/.github/workflows/scan-secrets.yml
@ -73,6 +73,28 @@ jobs:
        run: |
          echo "depth=$((${{ github.event.pull_request.commits }} + 1))" >> $GITHUB_OUTPUT

+      # A force-push to a PR can obscure Cirrus-CI logs, but not GHA logs.
+      # Provide handy URL for examination of secret leaks for all events that
+      # trigger this action.
+
+      - if: github.event_name == 'synchronize' || github.base_ref == ''
+        name: Provide URL showing code that needs human eyes (force-push or merge)
+        shell: bash
+        run: |
+          echo "Please review force-push or merged-pr changes for secret-leaks:"
+          before=$(jq -r -e '.before' $GITHUB_EVENT_PATH)
+          after=$(jq -r -e '.after' $GITHUB_EVENT_PATH)
+          echo "https://github.com/${{ github.repository }}/compare/${before}...${after}"
+
+      - if: github.event_name == 'opened'
+        name: Provide URL showing code that needs human eyes (newly opened PR)
+        shell: bash
+        run: |
+          echo "Please review new PR changes for secret-leaks:"
+          before=$(jq -r -e '.github.event.pull_request.base.sha' $GITHUB_EVENT_PATH)
+          after=$(jq -r -e '.github.event.pull_request.head.sha' $GITHUB_EVENT_PATH)
+          echo "https://github.com/${{ github.repository }}/compare/${before}...${after}"
+
      - name: Show important context details
        shell: bash
        run: |
@ -123,12 +145,11 @@ jobs:
          mkdir ${{ github.workspace }}/_report
          touch ${{ github.workspace }}/_report/gitleaks-report.json

-      # A force-push to a PR can obscure Cirrus-CI logs, but not GHA logs
-      - name: Show content being scanned
+      - name: Log all content being scanned to file for archiving
        shell: bash
        run: |
          set -exuo pipefail
-          ${{ env.gitlogcmd }} ${{ steps.gitlog.outputs.range }}
+          ${{ env.gitlogcmd }} ${{ steps.gitlog.outputs.range }} >> ${{ github.workspace }}/git_commits.log

      # Unfortunately gitleaks provides several in-built ways to
      # completely bypass an alert within PR-level commits.  Assume
@ -183,12 +204,15 @@ jobs:
            $glfqin \
            detect $glargs --log-opts=${{ steps.gitlog.outputs.range }}

-      - name: Collect scan report artifact
+      - name: Collect git commits log and gitleaks scan report
        if: ${{ !cancelled() }}
        uses: actions/upload-artifact@v4
        with:
          name: gitleaks-report
-          path: ${{ github.workspace }}/_report/gitleaks-report.json
+          path: |
+            ${{ github.event_path }}
+            ${{ github.workspace }}/git_commits.log
+            ${{ github.workspace }}/_report/gitleaks-report.json

      # Nobody monitors the actions-tab for failures, and may not see this
      # fail on push to a nefarious PR.  Send an e-mail alert to unmask