Skip to content

Daily Secrets Detection #4

Daily Secrets Detection

Daily Secrets Detection #4

name: Daily Secrets Detection
on:
schedule:
# Run daily at 9:00 AM UTC
- cron: '0 9 * * *'
workflow_dispatch: # Allow manual triggering
permissions:
contents: read
id-token: write # Required for SLSA attestation
jobs:
onboard_workflow:
name: Onboard Chainloop Workflow
uses: chainloop-dev/labs/.github/workflows/chainloop_onboard.yml@6bbd1c2b3022e48ae60afa0c2b90f3b6d31bcf11
with:
project: "chainloop"
workflow_name: "daily-secrets-detection"
secrets:
api_token: ${{ secrets.CHAINLOOP_TOKEN }}
daily-secrets-scan:
name: Daily Secrets Scan
needs: onboard_workflow
runs-on: ubuntu-latest
env:
CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
CHAINLOOP_WORKFLOW_NAME: ${{ needs.onboard_workflow.outputs.workflow_name }}
CHAINLOOP_PROJECT_NAME: ${{ needs.onboard_workflow.outputs.project_name }}
steps:
- uses: actions/checkout@v4
- name: Install Chainloop
run: |
curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s -- --ee
- name: Initialize Attestation
run: |
chainloop attestation init --workflow ${CHAINLOOP_WORKFLOW_NAME} --project ${CHAINLOOP_PROJECT_NAME}
- name: Install Gitleaks
run: |
wget -q https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz
mkdir -p /tmp/gitleaks-install
tar -xzf gitleaks_8.30.0_linux_x64.tar.gz -C /tmp/gitleaks-install
sudo install /tmp/gitleaks-install/gitleaks /usr/local/bin/
rm -rf /tmp/gitleaks-install gitleaks_8.30.0_linux_x64.tar.gz
gitleaks version
- name: Run Gitleaks Scan
run: |
gitleaks dir . \
--report-format json \
--report-path gitleaks-report.json \
--config .github/workflows/utils/.gitleaks.toml \
|| true
- name: Add Gitleaks Report to Attestation
run: |
chainloop attestation add \
--name gitleaks-scan \
--value gitleaks-report.json \
--kind GITLEAKS_JSON
- name: Finish and Push Attestation
if: ${{ success() }}
run: |
chainloop attestation push
- name: Mark attestation as failed
if: ${{ failure() }}
run: |
chainloop attestation reset
- name: Mark attestation as cancelled
if: ${{ cancelled() }}
run: |
chainloop attestation reset --trigger cancellation