runleaks
ActionsTags
(2)
Leverages git-secrets to identify potential leaks in GitHub action run logs.
- Common Azure and Google Cloud patterns are available, thanks to fork msalemcode/git-secrets.
github-token:
description: 'Token used to login to GitHub'
required: true
repo:
description: 'Repo to scan run logs for exceptions'
required: false
default: ${{ github.repository }}
run-limit:
description: 'Limit on how many runs to scan'
required: false
default: '50'
min-days-old:
description: 'Min age of runs in days'
required: false
default: '0'
max-days-old:
description: 'Max age of runs in days'
required: false
default: '3'
patterns-path:
description: 'Patterns file path'
required: false
default: ".runleaks/patterns.txt"
exclusions-path:
description: 'Excluded patterns file path'
required: false
default: ".runleaks/exclusions.txt"
fail-on-leak:
description: 'Fail action if leak is found'
required: false
default: true exceptions:
description: 'Json output of run logs with exceptions'
count:
description: 'Count of exceptions'- Note: GitHub rate limits
- name: Checkout
uses: actions/checkout@v3
- name: Scan run logs
uses: josiahsiegel/runleaks@v1
id: scan
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
run-limit: 500
fail-on-leak: false
- name: Get scan exceptions
if: steps.scan.outputs.count > 0
run: echo "${{ steps.scan.outputs.exceptions }}"or
- name: Checkout
uses: actions/checkout@v3
- name: Scan run logs
uses: josiahsiegel/runleaks@v1
id: scan
with:
github-token: ${{ secrets.MY_TOKEN }}
patterns-path: ".github/patterns.txt"
exclusions-path: ".github/exclusions.txt"
fail-on-leak: false
- name: Get scan exceptions
if: steps.scan.outputs.count > 0
run: echo "${{ steps.scan.outputs.exceptions }}"or
- name: Checkout
uses: actions/checkout@v3
with:
repository: 'me/my-repo'
- name: Scan run logs
uses: josiahsiegel/runleaks@v1
id: scan
with:
github-token: ${{ secrets.MY_TOKEN }}
repo: 'me/my-repo'
run-limit: 200
min-days-old: 0
max-days-old: 4
fail-on-leak: true- Registers default patterns
git clone https://github.com/JosiahSiegel/runleaks.git
cd runleaks/
docker build -t runleaks .
docker run scan "<PERSONAL_ACCESS_TOKEN>" "<REPO>" <RUN_LIMIT> <MIN_DAYS_OLD> <MAX_DAYS_OLD>- Default location:
.runleaks/patterns.txt
####################################################################
# Register a secret provider
#--register-azure
#--register-gcp
--register-aws
####################################################################
# Add a prohibited pattern
--add [A-Z0-9]{20}
--add Account[k|K]ey
--add Shared[a|A]ccessSignature
####################################################################
# Add a string that is scanned for literally (+ is escaped):
--add --literal foo+bar
####################################################################
- Default location:
.runleaks/exclusions.txt
####################################################################
# Add regular expressions patterns to filter false positives.
# Allow GUID
("|')[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}("|')
####################################################################
-
Scan 50 runs = 1 min
-
Scan 500 runs = 8 mins
-
Scan 3000 runs = 50 mins
Built-in secret GITHUB_TOKEN is limited to 1,000 requests per hour per repository.
To avoid repo-wide rate limiting, personal access tokens can be added to secrets, which are limited to 5,000 requests per hour and per authenticated user.
runleaks is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.
Tags
(2)runleaks is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.