Refresh after gitleaks rebranding (#63)

DariuszPorowski · web-flow · commit ce25b145d126 · 2023-03-26T11:00:23.000-07:00
- changed pointers new gitleaks repo (zricethezav/gitleaks -&gt;
gitleaks/gitleaks)
- changed action to self-build docker image instead of pulling from GH
packages
- changed gitleaks docker source to docker hub (looks like official ghcr
is not updated after the gitleaks rebranding)
- improved allowlisted for extended toml config
- added gitleaks `--baseline-path` support
- added dependabot support to the repo
- minor dev experience improvements
- files lint
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,20 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+trim_trailing_whitespace = true
+insert_final_newline = true
+indent_style = space
+indent_size = 2
+
+[*.{cmd,bat}]
+end_of_line = crlf
+
+[*.{yml,yaml,md,js,ts}]
+indent_style = space
+indent_size = 2
+
+[*.toml]
+indent_style = space
+indent_size = 4
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1,18 @@
+# Set default behaviour to automatically normalize line endings.
+* text=auto
+
+# Declare files that will always have LF line endings on checkout.
+*.sh text eol=lf
+
+# Declare files that will always have CRLF line endings on checkout.
+*.sln text eol=crlf
+*.{cmd,[cC][mM][dD]} text eol=crlf
+*.{bat,[bB][aA][tT]} text eol=crlf
+
+# Common files config
+*.md text eol=lf
+*.pdf binary
+*.gif binary
+*.ico binary
+*.jpg binary
+*.png binary
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "[github-actions] "
+
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "[docker] "
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -1,4 +1,4 @@
-name: docker
+name: Update docker
 
 on:
   push:
@@ -17,6 +17,7 @@ on:
 
 jobs:
   docker:
+    name: Cache latest docker image
     runs-on: ubuntu-latest
     steps:
       - name: Get repo owner
@@ -36,51 +37,51 @@ jobs:
       - name: Fetch Gitleaks the latest release
         id: gitleaks_latest_release
         run: |
-          gitleaks_latest_tag=$(gh api repos/zricethezav/gitleaks/releases/latest --jq .tag_name)
+          gitleaks_latest_tag=$(gh api repos/gitleaks/gitleaks/releases/latest --jq .tag_name)
           gitleaks_latest_semver=$(echo ${gitleaks_latest_tag} | tr -d "v")
           echo "tag=${gitleaks_latest_tag}" >>$GITHUB_OUTPUT
           echo "semver=${gitleaks_latest_semver}" >>$GITHUB_OUTPUT
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
 
       - name: Check - upgrade Gitleaks or not
         id: gitleaks_upgrade
-        if: github.event_name == 'schedule'
+        if: ${{ github.event_name == 'schedule' }}
         run: |
           pkgs=$(gh api /users/${{ steps.repo_owner.outputs.result }}/packages/container/${{ steps.repo_name.outputs.result }}/versions --jq '[.[] | select(.metadata.container.tags | index("${{ steps.gitleaks_latest_release.outputs.semver }}"))] | length')
           if [ $pkgs = 0 ]
           then
             echo "upgrade=true" >>$GITHUB_OUTPUT
           fi
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
 
       - name: Check - upgrade Docker image or not
         id: upgrade
-        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || (github.event_name == 'schedule' && steps.gitleaks_upgrade.outputs.upgrade == 'true')
+        if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' || (github.event_name == 'schedule' && steps.gitleaks_upgrade.outputs.upgrade == 'true') }}
         run: |
           echo "upgrade=true" >>$GITHUB_OUTPUT
 
       - name: Checkout Git repo
-        if: steps.upgrade.outputs.upgrade == 'true'
+        if: ${{ steps.upgrade.outputs.upgrade == 'true' }}
         uses: actions/checkout@v3
 
       # - name: Update config to the release version
-      #   if: steps.upgrade.outputs.upgrade == 'true'
+      #   if: ${{ steps.upgrade.outputs.upgrade == 'true' }}
       #   run: |
       #     curl --output "${GITHUB_WORKSPACE}/.gitleaks/gitleaks.toml" https://raw.githubusercontent.com/zricethezav/gitleaks/${{ steps.gitleaks_latest_release.outputs.tag }}/config/gitleaks.toml
 
       - name: Login to ghcr.io
         uses: docker/login-action@v2
-        if: steps.upgrade.outputs.upgrade == 'true'
+        if: ${{ steps.upgrade.outputs.upgrade == 'true' }}
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ github.token }}
 
       - name: Prepare Docker image metadata
         uses: docker/metadata-action@v4
-        if: steps.upgrade.outputs.upgrade == 'true'
+        if: ${{ steps.upgrade.outputs.upgrade == 'true' }}
         with:
           images: "ghcr.io/${{ steps.repo_owner.outputs.result }}/${{ steps.repo_name.outputs.result }}"
           flavor: latest=true
@@ -91,8 +92,8 @@ jobs:
         id: docker_image_metadata
 
       - name: Build and push Docker image
-        if: steps.upgrade.outputs.upgrade == 'true'
-        uses: docker/build-push-action@v3
+        if: ${{ steps.upgrade.outputs.upgrade == 'true' }}
+        uses: docker/build-push-action@v4
         with:
           tags: ${{ steps.docker_image_metadata.outputs.tags }}
           labels: ${{ steps.docker_image_metadata.outputs.labels }}
diff --git a/.github/workflows/dogfood.yml b/.github/workflows/dogfood.yml
@@ -1,10 +1,34 @@
-name: dog food
+name: dog food - tests
 
-on: [push, pull_request, workflow_dispatch]
+on: [push, pull_request, pull_request_target, workflow_dispatch]
+
+# Allow one concurrent deployment
+concurrency:
+  group: ${{ github.event_name }}-${{ github.base_ref }}-${{ github.head_ref || github.event.number }}
+  cancel-in-progress: true
 
 jobs:
+  ghdiag:
+    name: Run GitHub diagnostic
+    if: ${{ vars.ACTIONS_RUNNER_DEBUG || vars.ACTIONS_STEP_DEBUG }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dump
+        uses: actions/github-script@v6
+        with:
+          script: |
+            core.debug('!!! START github START !!!')
+            core.info(JSON.stringify(github, null, '  '))
+            core.debug('!!! END github END !!!')
+
+            core.debug('!!! START context START !!!')
+            core.info(JSON.stringify(context, null, '  '))
+            core.debug('!!! END context END !!!')
+      - run: printenv
+
   gitleaks:
     runs-on: ubuntu-latest
+    name: Run Gitleaks
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -13,7 +37,7 @@ jobs:
 
       - name: Run Gitleaks
         id: gitleaks
-        uses: DariuszPorowski/github-action-gitleaks@v2
+        uses: ./
         with:
           report_format: sarif
           fail: false
@@ -27,7 +51,7 @@ jobs:
           echo "report: ${{ steps.gitleaks.outputs.report }}"
 
       - name: Upload SARIF report
-        if: steps.gitleaks.outputs.exitcode == 1
+        if: ${{ steps.gitleaks.outputs.exitcode == 1 }}
         uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: ${{ steps.gitleaks.outputs.report }}
diff --git a/.gitleaks/UDMSecretChecks.toml b/.gitleaks/UDMSecretChecks.toml
@@ -2,7 +2,7 @@ title = "gitleaks config"
 
 [extend]
 # useDefault will extend the base configuration with the default gitleaks config:
-# https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml
+# https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml
 useDefault = true
 
 [[rules]]
@@ -331,18 +331,12 @@ path = '''\.(?:ps1|psm1|js|json|coffee|xml|js|md|html|py|php|java|ipynb|rb)$|hub
 
 [allowlist]
 description = "Allowlisted files"
-files = [
-    '''(.*?)(png|jpg|gif|tif|tiff|doc|docx|pdf|bin|xls|pyc|zip)$''',
+paths = [
+    '''(.*?)(png|tif|tiff|pyc)$''',
     '''buildsearchers.xml''',
-    '''^\.?gitleaks.toml$''',
-    '''^\.?UDMSecretChecks.toml$''',
-    '''^\.?UDMSecretChecksv8.toml$''',
-    '''^\.?GitleaksUdmCombo.toml$''',
-    '''gitleaks.toml''',
     '''UDMSecretChecks.toml''',
     '''UDMSecretChecksv8.toml''',
     '''GitleaksUdmCombo.toml''',
 ]
 commits = []
-paths = []
 repos = []
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,5 @@
-FROM ghcr.io/zricethezav/gitleaks:latest
+FROM zricethezav/gitleaks:latest
+# FROM ghcr.io/zricethezav/gitleaks:latest
 
 LABEL "com.github.actions.name"="Gitleaks Scanner"
 LABEL "com.github.actions.description"="Runs Gitleaks in your CI/CD workflow"
@@ -9,4 +10,4 @@ LABEL "repository"="https://github.com/DariuszPorowski/github-action-gitleaks"
 COPY .gitleaks/* /.gitleaks/
 COPY entrypoint.sh /entrypoint.sh
 USER root
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/README.md b/README.md
@@ -2,29 +2,30 @@
 
 [![GitHub release (latest by date)](https://img.shields.io/github/v/release/DariuszPorowski/github-action-gitleaks)](https://github.com/DariuszPorowski/github-action-gitleaks/releases)
 
-This GitHub Action allows you to run [Gitleaks](https://github.com/zricethezav/gitleaks) in your CI/CD workflow.
+This GitHub Action allows you to run [Gitleaks](https://github.com/gitleaks/gitleaks) in your CI/CD workflow.
 
 > NOTE: v2 of this GitHub Action supports only the latest version of Gitleaks from v8 release.
 
 ## Inputs
 
-| Name          | Required | Type   | Default value                    | Description                                              |
-| ------------- | -------- | ------ | -------------------------------- | -------------------------------------------------------- |
-| source        | false    | string | $GITHUB_WORKSPACE                | Path to source (relative to $GITHUB_WORKSPACE)           |
-| config        | false    | string | /.gitleaks/UDMSecretChecks.toml  | Config file path (relative to $GITHUB_WORKSPACE)         |
-| report_format | false    | string | json                             | Report file format: json, csv, sarif                     |
-| no_git        | false    | bool   | false                            | Treat git repos as plain directories and scan those file |
-| redact        | false    | bool   | true                             | Redact secrets from log messages and leaks               |
-| fail          | false    | bool   | true                             | Fail if secrets founded                                  |
-| verbose       | false    | bool   | true                             | Show verbose output from scan                            |
-| log_level     | false    | string | info                             | Log level (debug, info, warn, error, fatal)              |
+| Name          | Required | Type   | Default value                   | Description                                                                      |
+|---------------|----------|--------|---------------------------------|----------------------------------------------------------------------------------|
+| source        | false    | string | $GITHUB_WORKSPACE               | Path to source (relative to $GITHUB_WORKSPACE)                                   |
+| config        | false    | string | /.gitleaks/UDMSecretChecks.toml | Config file path (relative to $GITHUB_WORKSPACE)                                 |
+| baseline_path | false    | string | *not set*                       | Path to baseline with issues that can be ignored (relative to $GITHUB_WORKSPACE) |
+| report_format | false    | string | json                            | Report file format: json, csv, sarif                                             |
+| no_git        | false    | bool   | *not set*                       | Treat git repos as plain directories and scan those file                         |
+| redact        | false    | bool   | true                            | Redact secrets from log messages and leaks                                       |
+| fail          | false    | bool   | true                            | Fail if secrets founded                                                          |
+| verbose       | false    | bool   | true                            | Show verbose output from scan                                                    |
+| log_level     | false    | string | info                            | Log level (trace, debug, info, warn, error, fatal)                               |
 
-> NOTE: The solution provides predefined configuration (See: [.gitleaks](https://github.com/DariuszPorowski/github-action-gitleaks/tree/main/.gitleaks) path). You can override it by yours config using relative to `$GITHUB_WORKSPACE`.
+> __NOTE:__ The solution provides predefined configuration (See: [.gitleaks](https://github.com/DariuszPorowski/github-action-gitleaks/tree/main/.gitleaks) path). You can override it by yours config using relative to `$GITHUB_WORKSPACE`.
 
 ## Outputs
 
 | Name     | Description                                            |
-| -------- | ------------------------------------------------------ |
+|----------|--------------------------------------------------------|
 | exitcode | Success (code: 0) or failure (code: 1) value from scan |
 | result   | Gitleaks result summary                                |
 | output   | Gitleaks log output                                    |
@@ -33,7 +34,7 @@ This GitHub Action allows you to run [Gitleaks](https://github.com/zricethezav/g
 
 ## Example usage
 
-> **NOTE:** You must use actions/checkout before the `github-action-gitleaks` step. If you are using `actions/checkout@v3` you must specify a commit depth other than the default which is 1.
+> __NOTE:__ You must use actions/checkout before the `github-action-gitleaks` step. If you are using `actions/checkout@v3` you must specify a commit depth other than the default which is 1.
 >
 > Using a `fetch-depth` of '0' clones the entire history. If you want to do a more efficient clone, use '2', but that is not guaranteed to work with pull requests.
 
@@ -62,13 +63,13 @@ This GitHub Action allows you to run [Gitleaks](https://github.com/zricethezav/g
     echo "report: ${{ steps.gitleaks.outputs.report }}"
 
 - name: Upload Gitleaks SARIF report to code scanning service
-  if: steps.gitleaks.outputs.exitcode == 1
+  if: ${{ steps.gitleaks.outputs.exitcode == 1 }}
   uses: github/codeql-action/upload-sarif@v2
   with:
     sarif_file: ${{ steps.gitleaks.outputs.report }}
 ```
 
-> **NOTE:** SARIF file uploads for code scanning is not available for everyone. Read GitHub docs ([Uploading a SARIF file to GitHub](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github)) for more information.
+> __NOTE:__ SARIF file uploads for code scanning is not available for everyone. Read GitHub docs ([Uploading a SARIF file to GitHub](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github)) for more information.
 
 ### With JSON report and custom rules config
 
@@ -82,7 +83,7 @@ This GitHub Action allows you to run [Gitleaks](https://github.com/zricethezav/g
   id: gitleaks
   uses: DariuszPorowski/github-action-gitleaks@v2
   with:
-    config: "MyGitleaksConfigs/MyGitleaksConfig.toml"
+    config: MyGitleaksConfigs/MyGitleaksConfig.toml
 
 - name: Upload Gitleaks JSON report to artifacts
   uses: actions/upload-artifact@v3
@@ -100,7 +101,7 @@ This GitHub Action allows you to run [Gitleaks](https://github.com/zricethezav/g
 
 ## Contributions
 
-If you have any feedback on `Gitleaks`, please reach out to [Zachary Rice](https://github.com/zricethezav) for creating and maintaining [Gitleaks](https://github.com/zricethezav/gitleaks).
+If you have any feedback on `Gitleaks`, please reach out to [Zachary Rice (@zricethezav)](https://github.com/zricethezav) for creating and maintaining [Gitleaks](https://github.com/gitleaks/gitleaks).
 
 Any feedback on the Gitleaks config for Azure `UDMSecretChecks.toml` file is welcome. Follow Jesse Houwing's GitHub repo - [gitleaks-azure](https://github.com/jessehouwing/gitleaks-azure).
 
diff --git a/action.yml b/action.yml
@@ -16,7 +16,10 @@ inputs:
     required: false
     default: "json"
   no_git:
-    description: "Treat git repos as plain directories and scan those file"
+    description: "Treat git repos as plain directories and scan those file (default: <not set>)"
+    required: false
+  baseline_path:
+    description: "Path to baseline with issues that can be ignored (relative to $GITHUB_WORKSPACE) (default: <not set>)"
     required: false
   redact:
     description: "Redact secrets from logs and stdout (default: true)"
@@ -31,7 +34,7 @@ inputs:
     required: false
     default: "true"
   log_level:
-    description: "Log level (debug, info, warn, error, fatal) (default: info)"
+    description: "Log level (trace, debug, info, warn, error, fatal) (default: info)"
     required: false
     default: "info"
 
@@ -49,4 +52,4 @@ outputs:
 
 runs:
   using: "docker"
-  image: "docker://ghcr.io/dariuszporowski/github-action-gitleaks:latest"
+  image: "Dockerfile"
diff --git a/entrypoint.sh b/entrypoint.sh
