Code Monkey home page Code Monkey logo

github-action-gitleaks's Introduction

GitHub Action for Gitleaks

GitHub - marketplace GitHub - release GitHub - license

This GitHub Action allows you to run Gitleaks in your CI/CD workflow.

⚠️ v2 of this GitHub Action supports only the latest version of Gitleaks from v8 release.

Inputs

Name Required Type Default value Description
source false string $GITHUB_WORKSPACE Path to source (relative to $GITHUB_WORKSPACE)
config false string /.gitleaks/UDMSecretChecks.toml Config file path (relative to $GITHUB_WORKSPACE)
baseline_path false string not set Path to baseline with issues that can be ignored (relative to $GITHUB_WORKSPACE)
report_format false string json Report file format: json, csv, sarif
no_git false bool not set Treat git repos as plain directories and scan those file
redact false bool true Redact secrets from log messages and leaks
fail false bool true Fail if secrets founded
verbose false bool true Show verbose output from scan
log_level false string info Log level (trace, debug, info, warn, error, fatal)

⚠️ The solution provides predefined configuration (See: .gitleaks path). You can override it by yours config using relative to $GITHUB_WORKSPACE.

Outputs

Name Description
exitcode Success (code: 0) or failure (code: 1) value from scan
result Gitleaks result summary
output Gitleaks log output
command Gitleaks executed command
report Report file path

Example usage

⚠️ You must use actions/checkout before the github-action-gitleaks step. If you are using actions/checkout@v3 you must specify a commit depth other than the default which is 1.

Using a fetch-depth of '0' clones the entire history. If you want to do a more efficient clone, use '2', but that is not guaranteed to work with pull requests.

Pull Request with comment

---
name: Secret Scan

on:
  pull_request:
  push:
    branches:
      - main

# allow one concurrency
concurrency:
  group: ${{ format('{0}-{1}-{2}-{3}-{4}', github.workflow, github.event_name, github.ref, github.base_ref, github.head_ref) }}
  cancel-in-progress: true

jobs:
  gitleaks:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Run Gitleaks
        id: gitleaks
        uses: DariuszPorowski/github-action-gitleaks@v2
        with:
          fail: false

      - name: Post PR comment
        uses: actions/github-script@v6
        if: ${{ steps.gitleaks.outputs.exitcode == 1 && github.event_name == 'pull_request' }}
        with:
          github-token: ${{ github.token }}
          script: |
            const { GITLEAKS_RESULT, GITLEAKS_OUTPUT } = process.env
            const output = `### ${GITLEAKS_RESULT}

            <details><summary>Log output</summary>

            ${GITLEAKS_OUTPUT}

            </details>
            `
            github.rest.issues.createComment({
              ...context.repo,
              issue_number: context.issue.number,
              body: output
            })
        env:
          GITLEAKS_RESULT: ${{ steps.gitleaks.outputs.result }}
          GITLEAKS_OUTPUT: ${{ steps.gitleaks.outputs.output }}

With SARIF report

- name: Checkout
  uses: actions/checkout@v3
  with:
    fetch-depth: 0

- name: Run Gitleaks
  id: gitleaks
  uses: DariuszPorowski/github-action-gitleaks@v2
  with:
    report_format: sarif
    fail: false

# (optional) It's just to see outputs from the Action
# please note, the OUTPUT has to be passed via env vars!
- name: Get the output from the gitleaks step
  run: |
    echo "exitcode: ${{ steps.gitleaks.outputs.exitcode }}"
    echo "result: ${{ steps.gitleaks.outputs.result }}"
    echo "command: ${{ steps.gitleaks.outputs.command }}"
    echo "report: ${{ steps.gitleaks.outputs.report }}"
    echo "output: ${GITLEAKS_OUTPUT}"
  env:
    GITLEAKS_OUTPUT: ${{ steps.gitleaks.outputs.output }}

- name: Upload Gitleaks SARIF report to code scanning service
  if: ${{ steps.gitleaks.outputs.exitcode == 1 }}
  uses: github/codeql-action/upload-sarif@v2
  with:
    sarif_file: ${{ steps.gitleaks.outputs.report }}

⚠️ SARIF file uploads for code scanning is not available for everyone. Read GitHub docs (Uploading a SARIF file to GitHub) for more information.

With JSON report and custom rules config

- name: Checkout
  uses: actions/checkout@v3
  with:
    fetch-depth: 0

- name: Run Gitleaks
  id: gitleaks
  uses: DariuszPorowski/github-action-gitleaks@v2
  with:
    config: MyGitleaksConfigs/MyGitleaksConfig.toml

- name: Upload Gitleaks JSON report to artifacts
  uses: actions/upload-artifact@v3
  if: failure()
  with:
    name: gitleaks
    path: ${{ steps.gitleaks.outputs.report }}

Additional rules

Jesse Houwing provided a Gitleaks config with most of Microsoft's deprecated CredScan rules. Consider using it if you need to scan projects based on Microsoft technologies or Azure Cloud.

Contributions

If you have any feedback on Gitleaks, please reach out to Zachary Rice (@zricethezav) for creating and maintaining Gitleaks.

Any feedback on the Gitleaks config for Azure UDMSecretChecks.toml file is welcome. Follow Jesse Houwing's GitHub repo - gitleaks-azure.

Thanks to C.J. May (@lawndoc) for contributing 🤘

Any feedback or contribution to this project is welcome!

How do I remove a secret from Git's history?

GitHub has a great article on this using the BFG Repo Cleaner.

github-action-gitleaks's People

Contributors

dariuszporowski avatar dependabot[bot] avatar lawndoc avatar sammcj avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

marian-craciunescu holgerb scherersebastian bfentiman-ipipeline techdeepak lawndoc xebia-devops-practice cleanchoice

github-action-gitleaks's Issues

Bug introduced due to CVE-2022-24767 fix

This action is creating the following error when running this workflow in GitHub due to using a new version of git:

gitleaks detect --config /.gitleaks/GitleaksUdmCombo.toml --report-format json --redact --verbose --log-level info --report-path /github/workspace/gitleaks-report.json --source /github/workspace

    ○
    │╲
    │ ○
    ○ ░
    ░    gitleaks 

3:11PM ERR fatal: unsafe repository ('/github/workspace' is owned by someone else)
3:11PM ERR To add an exception for this directory, call:
3:11PM ERR 
3:11PM ERR 	git config --global --add safe.directory /github/workspace

To Reproduce
Steps to reproduce the behavior:

Run the below workflow on any repo:

name: GitLeaks Secret Scan

on:
  push:
    branches:
      - $default-branch
  pull_request:
    branches:
      - $default-branch
  workflow_dispatch:
    branches:
      - $default-branch

jobs:
  gitleaks:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v1

      - name: Update Secret Definitions # from the GitLeaks main repository
        run: mkdir security && wget -P security/ https://raw.githubusercontent.com/zricethezav/gitleaks/master/config/gitleaks.toml

      - name: Run GitLeaks Scan
        id: gitleaks
        uses: DariuszPorowski/github-action-gitleaks@v2
        with:
          config-path: security/gitleaks.toml

Additional context
This issue appears to be a result of the fix for CVE-2022-24767 in git

fatal: detected dubious ownership in repository at '/github/workspace'

Describe the bug
A clear and concise description of what the bug is.

When I used the github-action-gitleaks@v2 with source arg, the error occurred.

To Reproduce
Steps to reproduce the behavior:

  1. Use this actions with source env.
      - name: "Check for secrets with Gitleaks"
        id: gitleaks
        uses: DariuszPorowski/github-action-gitleaks@v2
        with:
          source: apis/poi
          config: gitleaksconfig.toml
          report_format: "sarif"
          fail: false
  1. error occurred
2:08AM ERR [git] fatal: detected dubious ownership in repository at '/github/workspace'
2:08AM ERR [git] To add an exception for this directory, call:
2:08AM ERR [git] 
2:08AM ERR [git] 	git config --global --add safe.directory /github/workspace
2:08AM ERR git error encountered, see logs
2:08AM WRN partial scan completed in 58.798585ms
2:08AM WRN no leaks found in partial scan

Expected behavior
A clear and concise description of what you expected to happen.

do not cause error when source arg is set

Screenshots
If applicable, add screenshots to help explain your problem.
image

Additional context

This reason of this error is CVE-2022-24765. And I know that the code to fix CVE-2022-24765 is already implements in entrypoint.sh, line 59.

git config --global --add safe.directory "${INPUT_SOURCE}"

But from the error message, it appears that this implementation needs to be changed as follows.

git config --global --add safe.directory /github/workspace

Pull Request head sha not correct

Describe the bug
When triggered by pull_request, both the GITHUB_REF_NAME and GITHUB_SHA default variables will reference the last merge commit of the pull request merge branch rather than the actual last commit to the head branch (see documentation). This causes pull request runs to scan 0 commits most of the time (see screenshots).

To Reproduce
Steps to reproduce the behavior:

  1. Create a branch in a repo with this workflow set up
  2. Create any number of regular commits in the repo
  3. Create a pull request
  4. Compare the last commit hash to the head commit hash used and check the number of commits scanned

Expected behavior
Gitleaks should be scanning from the last commit of the head branch

Screenshots
Workflow run
workflow run

SHA of last commit on head branch that triggered the above workflow
last commit

Additional context
According to the documentation linked above, we should be able to get what we need from github.event.pull_request.head.sha, but it will probably need to be passed into the script somehow.

Action not working in Pull Request

When using the Action in a pull request workflow, the action fails with a generic Git error:

image

To Reproduce
Steps to reproduce the behavior:

Set up the following workflow, create a different branch, and open a pull request that kicks off the workflow:

name: GitLeaks Secret Scan

# It's recommended to leave the triggers like this
# to reduce workflows running on all branches. To
# catch commited secrets sooner, please install a
# pre-commit hook as shown at:
# https://github.com/zricethezav/gitleaks#pre-commit
on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

jobs:
  gitleaks:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Code
      uses: actions/checkout@v1
    
    - name: Update Secret Definitions  # from the GitLeaks main repository
      run: mkdir security && wget -P security/ https://raw.githubusercontent.com/zricethezav/gitleaks/master/config/gitleaks.toml

    - name: Run GitLeaks Scan
      id: gitleaks
      uses: DariuszPorowski/github-action-gitleaks@v2
      with:
        config-path: security/gitleaks.toml

Ideas on root cause
Based on the error indicating that the git ref doesn't exist, this may be caused by the workflow not fetching the main branch during the pull request automation. I'll have to perform more testing to know know for sure.

Action fails on `unknown flag: --version`

Describe the bug
Action does not work as provides incorrect parameters to gitleaks (unknown flag: --version)

To Reproduce
Steps to reproduce the behavior:

  1. Use the example in readme in your workflow.
  2. Trigger a CI run
  3. Experience the error
Error: unknown flag: --version
----------------------------------
Usage:
INPUT PARAMETERS
----------------------------------
INPUT_PATH: /github/workspace
INPUT_CONFIG_PATH: /.gitleaks/gitleaks.toml
INPUT_ADDITIONAL_CONFIG: /.gitleaks/UDMSecretChecks.toml
INPUT_FORMAT: json
INPUT_BRANCH: 
INPUT_NO_GIT: 
s [command]
INPUT_REDACT: true
INPUT_DEPTH: 
INPUT_FAIL: true
INPUT_VERBOSE: true
INPUT_DEBUG: 

Available Commands:
  completion  generate the autocompletion script for the specified shell
----------------------------------
Running gitleaks 
----------------------------------
gitleaks --config-path=/.gitleaks/gitleaks.toml --additional-config=/.gitleaks/UDMSecretChecks.toml --format=json --redact --verbose --report=/github/workspace/gitleaks-report.json --path=/github/workspace --commits-file=/github/workspace/commits.txt
----------------------------------

Notice: SUCCESS! Your code is good to go
  detect      detect secrets in code
  help        Help about any command
  protect     protect secrets in code
  version     display gitleaks version

Flags:
  -c, --config string          config file path
                               order of precedence: 
                               1. --config/-c 
                               2. (--source/-s)/.gitleaks.toml
                               if --config/-c is not set and no (--source/s)/.gitleaks.toml is present 
                               then .gitleaks.toml will be written to (--source/-s)/.gitleaks.toml for future use
      --exit-code int          exit code when leaks have been encountered (default: 1) (default 1)
  -h, --help                   help for gitleaks
  -l, --log-level string       log level (debug, info, warn, error, fatal) (default "info")
      --redact                 redact secrets from logs and stdout
  -f, --report-format string   output format (json, csv, sarif)
  -r, --report-path string     report file
  -s, --source string          path to source (default: $PWD) (default ".")
  -v, --verbose                show verbose output from scan

eaks [command] --help" for more information about a command.

Error: unknown flag: --config-path
Usage:
s [command]

Available Commands:
  completion  generate the autocompletion script for the specified shell
  detect      detect secrets in code
  help        Help about any command
  protect     protect secrets in code
  version     display gitleaks version

Flags:
  -c, --config string          config file path
                               order of precedence: 
                               1. --config/-c 
                               2. (--source/-s)/.gitleaks.toml
                               if --config/-c is not set and no (--source/s)/.gitleaks.toml is present 
                               then .gitleaks.toml will be written to (--source/-s)/.gitleaks.toml for future use
      --exit-code int          exit code when leaks have been encountered (default: 1) (default 1)
  -h, --help                   help for gitleaks
  -l, --log-level string       log level (debug, info, warn, error, fatal) (default "info")
      --redact                 redact secrets from logs and stdout
  -f, --report-format string   output format (json, csv, sarif)
  -r, --report-path string     report file
  -s, --source string          path to source (default: $PWD) (default ".")
  -v, --verbose                show verbose output from scan

eaks [command] --help" for more information about a command.

This was using the following definition:

  Gitleaks:
    runs-on: [self-hosted]
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          fetch-depth: "0"

      - name: Run Gitleaks
        id: gitleaks
        uses: DariuszPorowski/github-action-gitleaks@v1

      - name: Upload Gitleaks JSON report to artifacts
        uses: actions/upload-artifact@v2
        if: failure()
        with:
          name: gitleaks
          path: ${{ steps.gitleaks.outputs.report }}

Expected behavior
Gitleaks to work

Screenshots
N/A
Additional context
N/A

Bug regression -- invalid git revision traversal

Hey @DariuszPorowski, it looks like this line regressed in this commit and brought back a bug that was dealt with in #62.

We are seeing the action fail again in some situations when the first commit reference doesn't exist (due to the ^ reference).

github_error

Was reverting from ... back to ^.. directly related to the fix for #64? It's hard to tell because there were lots of changes in the regression commit and I wasn't involved in that one.

doesn't check secrets on pr

github workflow log

----------------------------------
INPUT PARAMETERS
----------------------------------
INPUT_SOURCE: /github/workspace
INPUT_CONFIG: /.gitleaks/UDMSecretChecks.toml
INPUT_BASELINE_PATH: 
INPUT_REPORT_FORMAT: json
INPUT_NO_GIT: 
INPUT_REDACT: true
INPUT_FAIL: false
INPUT_VERBOSE: true
INPUT_LOG_LEVEL: info
----------------------------------
Setting Git safe directory (CVE-2022-24765)
git config --global --add safe.directory /github/workspace
----------------------------------
fatal: ambiguous argument 'refs/remotes/pull/123/merge': unknown revision or path not in the working tree.
Use '--' to separate paths from revisions, like this:
'git <command> [<revision>...] -- [<file>...]'
Running gitleaks v8.18.1
----------------------------------
gitleaks detect --config /.gitleaks/UDMSecretChecks.toml --report-format json --redact --verbose --log-level info --report-path /github/workspace/gitleaks-report.json --source /github/workspace --log-opts "--no-merges --first-parent 4502a9e4df............0f73388c0cb3..."

Error: Unable to process file command 'output' successfully

Describe the bug
I am hitting the following error and have no idea what is wrong:

3:47PM INF 2 commits scanned.
3:47PM INF scan completed in 68.6ms
3:47PM WRN leaks found: 1
----------------------------------
Finding:     echo "REDACTED"
Secret:      REDACTED
RuleID:      github-pat
Entropy:     4.584184
File:        .github/workflows/secret-scan.yml
Line:        43
Commit:      c8b04300529deaf2761bb5eae8681f4e8966b361
Author:      **********
Email:       **************
Date:        2023-05-03T15:33:56Z
Fingerprint: c8b04303529feaf2761bb5eae8681f4e8966b361:.github/workflows/secret-scan.yml:github-pat:43
Warning: STOP! Gitleaks encountered leaks or error
Error: Unable to process file command 'output' successfully.
Error: Invalid format 'Secret:      REDACTED'

To Reproduce
I have just added a test GitHub token to the secret-scan workflow

name: Secret Scan
on:
  pull_request:
    branches:
      - main
  push:
    branches:
      - main
  schedule:
    # runs every 15th of the month, at 08:00 UTC
    - cron: '0 8 15 * *'
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  gitleaks:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Run Gitleaks
        id: gitleaks
        uses: DariuszPorowski/github-action-gitleaks@v2
        with:
          report_format: sarif
          fail: false

      - name: Get the output from the gitleaks step
        run: |
          echo "exitcode: ${{ steps.gitleaks.outputs.exitcode }}"
          echo "result: ${{ steps.gitleaks.outputs.result }}"
          echo "output: ${{ steps.gitleaks.outputs.output }}"
          echo "command: ${{ steps.gitleaks.outputs.command }}"
          echo "report: ${{ steps.gitleaks.outputs.report }}"
          echo "ghp_SjxdFtKavVrfgp78gFfs8fVcgN5Yzt0Dq9zQ"

      - uses: actions/github-script@v6
        if: steps.gitleaks.outputs.exitcode == 1 && github.event.pull_request
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const output = `#### :fire: Gitleaks detected secrets
            ${{ steps.gitleaks.outputs.result }}
            <details><summary>Log output</summary>
            ${{ steps.gitleaks.outputs.output }}
            </details>
            `;
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: output
            })

The token is generated randomly locally.

Expected behavior
Action should proceed and add comment on the PR.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

Missing ability to add `--logs-opts` parameter

Is your feature request related to a problem? Please describe.
Gitleaks itself has an option to pass in log-opts to it's commands. This GH action is missing this configuration option

Quoted from https://github.com/gitleaks/gitleaks/blob/master/README.md#detect:

When running detect on a git repository, gitleaks will parse the output of a git log -p command (you can see how this executed [here](https://github.com/zricethezav/gitleaks/blob/7240e16769b92d2a1b137c17d6bf9d55a8562899/git/git.go#L17-L25)). 
[git log -p generates patches](https://git-scm.com/docs/git-log#_generating_patch_text_with_p) which gitleaks will use to detect secrets.
You can configure what commits git log will range over by using the --log-opts flag. --log-opts accepts any option for git log -p. 
For example, if you wanted to run gitleaks on a range of commits you could use the following command: gitleaks detect --source . --log-opts="--all commitA..commitB". 
See the git log [documentation](https://git-scm.com/docs/git-log) for more information.

Describe the solution you'd like
Being able to pass in log_opts or log-opts in the action configuration like this:

      ################
      # Run Gitleaks #
      ################
      - name: Run Gitleaks
        id: gitleaks
        uses: DariuszPorowski/github-action-gitleaks@v2
        with:
          log_opts: "my-branch --no-merges -p"

Describe alternatives you've considered
Currently one should be able to bypass this limitation by adding the log opts to the baseline_path like this: baseline_path: "${{ github.workspace }}/.gitleaks-baseline.json --log-opts='my-branch --no-merges -p'".

While this may work it's pretty ugly and only works in the main branch as this action already passes the log-opts when running inside a PR.

Gitleaks action fails when creating PR in new repo

On this line, the command passed to gitleaks for PRs compares with ^.. which will reference the previous commit on the base branch. This causes Gitleaks to reference a commit that doesn't exist when running on a PR for a repo with only one commit in the base branch.

Is there a reason this isn't .. instead? Would it cause any issues to change this?

Not a widely impactful bug, but I just want to understand what the intended behavior is in case I'm missing something.

Error on fetch-depth > 0

Describe the bug
Error on fetch-depth: '5'

5:25PM DBG using gitleaks config /.gitleaks/GitleaksUdmCombo.toml from `--config`
5:25PM DBG executing: /usr/bin/git -C /github/workspace log -p -U0 refs/remotes/origin/main^..cc6174683f[81](https://github.com/OlaIsaac/badrepo/runs/7863601254?check_suite_focus=true#step:4:84)0199398f6eff6f01c0778b9aaa39
5:25PM ERR fatal: ambiguous argument 'refs/remotes/origin/main^..cc6174683f810199398f6eff6f01c0778b9aaa39': unknown revision or path not in the working tree.
5:25PM ERR Use '--' to separate paths from revisions, like this:
5:25PM ERR 'git <command> [<revision>...] -- [<file>...]'
----------------------------------

Error: STOP! Gitleaks encountered leaks or error

To Reproduce
Steps to reproduce the behavior:

  1. 'Set fetch-depth '

    steps:
     - name: Checkout
       uses: actions/checkout@v2
       with:
        fetch-depth: '5'
    - name: Run Gitleaks
       id: gitleaks
       uses: DariuszPorowski/github-action-gitleaks@v2

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.