🔒 Add Gitleaks Action for Secret Scanning #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

rtrofimenkov-ssdlc wants to merge 20 commits into main from feature/gitleaks

Contributor

rtrofimenkov-ssdlc commented Oct 7, 2025 •

edited

Loading

Description

Added a reusable Gitleaks scanning GitHub Action that provides flexible secret scanning capabilities for Deckhouse CI workflows.
The action supports two operation modes and includes built-in logic for diff-based analysis, full repository scans, and post-processing of results.

Features

Two scan modes:
- diff — scans only modified or newly added files and lines between the PR base and head commits (tree-only, without repository history).
- full — performs a complete scan of the entire repository.
Dynamic configuration detection: automatically loads gitleaks.toml if present in the repository; otherwise, runs with default Gitleaks rules.
Smart diff detection:
- Builds a temporary tree of changed files for PRs.
- Filters results to include only lines actually added in the diff.
- Ignores deleted, renamed, or unchanged files.
Comprehensive output:
- Prints detected findings in a clean, human-readable format in the workflow logs.
- Generates a Markdown summary table with links to files and lines in GitHub.
- Publishes the full gitleaks.json report as a workflow artifact.
Fail-on-leak logic:
- The job fails only when secrets are found (exit 1), not on internal scan errors.
- For testing purposes, can be configured to continue on error.
Compatibility and portability:
- Designed to be used in both standalone workflows and shared Deckhouse CI pipelines.
- Fully compatible with public and internal repositories.

Why do we need it, and what problem does it solve?

Previously, secret scanning logic was duplicated across workflows.
This modular Action consolidates all scanning functionality in one place, simplifying maintenance and ensuring consistent behavior across repositories.
It provides developers with fast feedback on possible secret leaks in pull requests and allows for deeper scans when required.

Why do we need it in the patch release (if we do)?

Not required.
This is an infrastructure and CI improvement that enhances security checks and can be delivered in a regular release.

Checklist

Implemented diff-based and full scan modes.
Verified automatic configuration detection and proper fallback behavior.
Confirmed that diff mode scans only changed files and added lines.
Validated summary and console outputs.
Verified fail-on-leak behavior and artifact generation.
Tested in sandbox repository with both modes.

Changelog entries

section: ci
type: feature
summary: "Add reusable Gitleaks scanning Action supporting diff and full repository modes with detailed reporting and fail-on-leak logic."
impact: "Introduces a universal secret scanning module used across Deckhouse workflows. Enables fast diff scans for PRs and full scans for scheduled or manual runs."
impact_level: low

rtrofimenkov-ssdlc requested a review from Nikolay1224 as a code owner

October 7, 2025 08:24

rtrofimenkov-ssdlc force-pushed the feature/gitleaks branch 3 times, most recently from aaebf3c to a4870b9 Compare

October 14, 2025 11:14

rtrofimenkov-ssdlc added 3 commits

October 14, 2025 16:53


          gitleaks action + caller

98ada5a

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>


          Add workflow_dispatch inputs to gitleaks action

1af5b3f

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>


          Add gitleaks self-test workflow configuration

77ac1ec

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

rtrofimenkov-ssdlc force-pushed the feature/gitleaks branch from 79673ae to b13e507 Compare

October 14, 2025 11:53

KraMorK approved these changes

View reviewed changes

himax1991 requested changes

View reviewed changes

go_linter/action.yaml Outdated

    
            @@ -1,39 +1,122 @@
          
              name: "Go linter"

              description: "Go linter"

              # gitleaks/action.yml

Collaborator

himax1991 Oct 14, 2025

Why we are replacing go linter action?

Contributor Author

rtrofimenkov-ssdlc Oct 14, 2025

Thanks a lot! That was definitely an accident. I’ve rebased to resolve the issue and cleaned up the branch.

rtrofimenkov-ssdlc added 17 commits

October 14, 2025 20:02


          action fix

3db1c31

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>


          path fix

684536d

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>


          added leaks finding in job output

3dc83f3

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>


          gitleaks action: deleted unneccessary envs

9dbd386

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>


          added README.md

62fa042

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>


          Remove Gitleaks self-test workflow and update action to support confi…

b144134

…gurable Gitleaks version. Enhance README with optional config details and usage examples.

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>


          (gitleaks): allow diff scan under pull_request_target

36b1b06

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>


          refactor(summary): rename section to "Secret findings" and remove res…

07378ff

…ult limit note

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>


          fix(gitleaks): scan PR head vs base on pull_request_target

c84aa14

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>


          feat(gitleaks): use tree-only mode for diff scans

774855f

Switch diff mode to --no-git to avoid false positives from git history.
Full mode remains unchanged for complete repository audits.

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>


          feat(gitleaks): enhance diff scan with PR patch collection

3879cf2

Implement a new step to collect added and modified files in PRs, allowing for a more targeted scan of changes. The patch map is generated to filter findings based on added lines, improving the accuracy of results in diff mode.

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>


          output fix

00265d3

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>


          syntax fix

f7b3f4a

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>


          stdoutfix

b6183bb

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>


          output fix

a127849

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>


          clean

3ac6cf3

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>


          README update

bd12889

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

rtrofimenkov-ssdlc force-pushed the feature/gitleaks branch from b13e507 to bd12889 Compare

October 14, 2025 15:04

rtrofimenkov-ssdlc requested a review from himax1991

October 14, 2025 15:09

himax1991 approved these changes

View reviewed changes

Taior approved these changes

View reviewed changes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet