chore: use gitleaks for secret scanning (#610)

rudderlabs · Sep 4, 2024 · a8ac9a5 · a8ac9a5
1 parent aa1ac4f
commit a8ac9a5
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 0 deletions.
diff --git a/.github/workflows/secret-scan.yaml b/.github/workflows/secret-scan.yaml
@@ -0,0 +1,20 @@
+name: secret-scan
+on:
+ pull_request:
+ push:
+ workflow_dispatch:
+ schedule:
+ - cron: "0 13 * * *" # run once a day at 13:00 UTC
+jobs:
+ scan:
+ name: gitleaks
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ fetch-depth: 0
+ - uses: gitleaks/gitleaks-action@v2
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
+ GITLEAKS_NOTIFY_USER_LIST: ${{ vars.GITLEAKS_NOTIFY_USER_LIST }}
diff --git a/.gitleaksignore b/.gitleaksignore
@@ -0,0 +1,14 @@
+f0b67e93831d16b7f6618632ad44d718c8318b87:sftp/testdata/ssh/test_key:private-key:1
+00cba9dbb04b6ff9807dcf6a3d2a35acf8137b49:kafkaclient/testdata/client.key.pem:private-key:1
+00cba9dbb04b6ff9807dcf6a3d2a35acf8137b49:kafkaclient/testdata/ssh/test_key:private-key:1
+00cba9dbb04b6ff9807dcf6a3d2a35acf8137b49:kafkaclient/testdata/truststore/ca-key:private-key:1
+00cba9dbb04b6ff9807dcf6a3d2a35acf8137b49:testhelper/docker/resource/kafka/testdata/truststore/ca-key:private-key:1
+00cba9dbb04b6ff9807dcf6a3d2a35acf8137b49:testhelper/docker/resource/sshserver/testdata/test_key:private-key:1
+00cba9dbb04b6ff9807dcf6a3d2a35acf8137b49:testhelper/docker/resource/kafka/testdata/ssh/test_key:private-key:1
+fd02c1d3a32acfada23245a824d9238c9b5f9529:broker/kafka/testdata/client.key.pem:private-key:1
+fd02c1d3a32acfada23245a824d9238c9b5f9529:broker/kafka/testdata/ssh/test_key:private-key:1
+fd02c1d3a32acfada23245a824d9238c9b5f9529:broker/kafka/testdata/truststore/ca-key:private-key:1
+1dfc4115034e1b34fc9c1fa9d42ed61453092a89:testhelper/docker/resource/kafka/testdata/ssh/test_key:private-key:1
+98130e63de7c036b800977e694f8d2d7561f41d6:testhelper/docker/resource/kafka/testdata/truststore/ca-key:private-key:1
+2820fe4afd587f69d9d43b4e2724998e063b8c82:testhelper/docker/resource/sshserver/testdata/test_key:private-key:1
+c7b2e4ae3cde679f36228101162a8a63ac91e576:test_git_leaks_ci.txt:generic-api-key:1
diff --git a/Makefile b/Makefile
@@ -13,6 +13,7 @@ mockgen=go.uber.org/mock/mockgen@v0.4.0
 gotestsum=gotest.tools/gotestsum@v1.11.0
 protoc-gen-go=google.golang.org/protobuf/cmd/protoc-gen-go@v1.33.0
 protoc-gen-go-grpc=google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.3.0
+gitleaks=github.com/zricethezav/gitleaks/v8@v8.18.4
 
 default: lint
 
@@ -72,6 +73,12 @@ install-tools:
 .PHONY: lint
 lint: fmt ## Run linters on all go files
  $(GO) run $(GOLANGCI) run -v
+ @$(MAKE) sec
+
+.PHONY: sec
+sec: ## Run security checks
+ $(GO) run $(gitleaks) detect .
+ $(GO) run $(govulncheck) ./...
 
 .PHONY: fmt
 fmt: install-tools ## Formats all go files