Merge pull request #2 from addingwell/feat/add-gitleaks

feat: add gitleaks
addingwell · Oct 30, 2024 · be0da02 · be0da02
2 parents baeb7b8 + 4ffeedd
commit be0da02
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 0 deletions.
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
@@ -0,0 +1,16 @@
+name: gitleaks
+on:
+  pull_request:
+  push:
+jobs:
+  scan:
+    name: gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: "token"
diff --git a/README.md b/README.md
@@ -11,6 +11,7 @@ A simple plugin to create a visitor UUID server cookie named _aw_master_id.
     - [Bearer](#bearer)
     - [Add exception](#add-exception)
     - [Current exceptions](#current-exceptions)
+    - [Gitleaks](#gitleaks)
   - [Screenshots](#screenshots)
   - [Changelog](#changelog)
   - [Upgrade Notice](#upgrade-notice)
@@ -63,6 +64,33 @@ There are no exceptions yet.
 | ------------------------ | --------------------------- | --------------------- |
 | _Eg: php_lang_exception_ | _Eg: mastercookie/index.php:34_ | _Eg: Write justification_ |
 
+### Gitleaks
+
+To ensure the security of AddingWell’s codebase, this repository uses Gitleaks to scan and detect potential sensitive information leaks within version control. Gitleaks is an open-source static analysis tool that helps identify secrets and sensitive data, protecting against accidental exposure and improving the overall security of the development lifecycle.
+
+The implementation of Gitleaks in this repository allows you to:
+
+- Detect secrets such as API keys, credentials, and tokens that may have been accidentally committed to the repository.
+- Automate secret scanning across all branches and pull requests, ensuring sensitive data is identified early in the development process.
+- Continuously monitor and validate that sensitive information is not exposed in the repository, reducing the risk of data breaches.
+- Generate detailed reports on scan results, providing developers information to fix the problem.
+
+### Add exception
+
+Some Gitleaks detections may flag content that is not truly sensitive or is a false positive. In such cases, you can whitelist specific rules or files to prevent unnecessary alerts. To do so, comment the line where the secret is detected with this comment : `#gitleaks:allow`
+
+```
+SECRET=fake_password #gitleaks:allow
+```
+
+### Current exceptions
+
+| Secret id                                                                                                            | Justification             |
+|----------------------------------------------------------------------------------------------------------------------|---------------------------|
+
+
+| 💡 Id are formed like this : <commit_hash>:<file_path>:<secret_type>:<line>
+
 ## Screenshots
 
 1. No screenshots needed for this simple plugin.