Detect secrets #3
Conversation
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
There was a problem hiding this comment.
Pull request overview
This PR adds comprehensive secret detection capabilities to the repository by implementing a GitHub Actions workflow that integrates seven different security scanning tools (Gitleaks, TruffleHog, detect-secrets, git-secrets, Talisman, credential-digger, and kingfisher).
- Implements a reusable GitHub Action for secret scanning with multiple industry-standard tools
- Creates a workflow that triggers on pushes and pull requests to the main branch
- Generates combined scan results as workflow artifacts for review
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
| .gitignore | Adds .venv to ignore virtual environment directories |
| .github/workflows/detect-secrets.yaml | Defines the workflow trigger and permissions for the secret scanning pipeline |
| .github/actions/detect-secrets/action.yaml | Implements the composite action that installs and runs all seven secret detection tools |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| default: ${{ github.token }} | ||
| gitleaks-license: | ||
| description: Gitleaks license key for enterprise features | ||
| required: true |
There was a problem hiding this comment.
The 'gitleaks-license' input is marked as required but has a default value of empty string. An input cannot be both required and have an empty default. Either set 'required: false' if the license is optional, or remove the default value if it's truly required.
| required: true | |
| required: false |
| shell: bash | ||
| run: | | ||
| set -euo pipefail | ||
| TRH_VER=3.92.4 |
There was a problem hiding this comment.
The TruffleHog version is hardcoded as '3.92.4' in the script. This makes it difficult to maintain and update. Consider extracting this as an input parameter with a default value, or using 'latest' from the GitHub releases API to avoid manually updating version numbers.
| continue-on-error: true | ||
| shell: bash | ||
| run: | | ||
| set -euo pipefail |
There was a problem hiding this comment.
The step uses 'set -euo pipefail' for strict error handling, but the parent step has 'continue-on-error: true' which negates the benefit of strict error handling. If installation fails, it will continue silently. This creates inconsistent error handling behavior.
| set -euo pipefail |
| - name: Install TruffleHog v3 binary | ||
| continue-on-error: true |
There was a problem hiding this comment.
The TruffleHog installation uses 'continue-on-error: true' which means if the installation fails, the workflow will continue without running TruffleHog. This silently skips the scan if installation fails. Consider moving this flag to the 'Run TruffleHog' step instead, or add explicit validation that the binary was installed successfully before attempting to run it.
| install "$TMPDIR/trufflehog" "$RUNNER_TEMP/trufflehog" | ||
| chmod +x "$RUNNER_TEMP/trufflehog" |
There was a problem hiding this comment.
The TruffleHog binary is installed to a temporary directory using '$RUNNER_TEMP' but is not added to the PATH. If the subsequent 'Run TruffleHog' step fails to execute, it will be difficult to debug whether the issue is a missing binary or an actual scan failure. Consider adding the binary to a well-known location or validating its presence before the scan step.
|
|
||
| - name: Install Talisman | ||
| shell: bash | ||
| run: bash -c "$(curl --silent https://raw.githubusercontent.com/thoughtworks/talisman/main/install.sh)" |
There was a problem hiding this comment.
Installing software by piping curl output directly to bash poses a security risk as it executes arbitrary code from a remote source without validation. Consider downloading the script first, reviewing it, and then executing it, or use a specific versioned release with checksum verification.
| run: bash -c "$(curl --silent https://raw.githubusercontent.com/thoughtworks/talisman/main/install.sh)" | |
| run: | | |
| set -euo pipefail | |
| curl --fail --show-error --silent --location \ | |
| -o /tmp/talisman-install.sh \ | |
| https://raw.githubusercontent.com/thoughtworks/talisman/main/install.sh | |
| bash /tmp/talisman-install.sh |
|
|
||
| - name: Install kingfisher | ||
| shell: bash | ||
| run: curl --silent --location https://raw.githubusercontent.com/mongodb/kingfisher/main/scripts/install-kingfisher.sh | bash |
There was a problem hiding this comment.
Installing software by piping curl output directly to bash poses a security risk as it executes arbitrary code from a remote source without validation. Consider downloading the script first, reviewing it, and then executing it, or use a specific versioned release with checksum verification.
Scan the repository for secrets using the following tools: