From a604392630e9b3b92461bc622318b801c0baea40 Mon Sep 17 00:00:00 2001 From: Andy Newton Date: Tue, 28 Apr 2026 14:56:30 +0100 Subject: [PATCH] feat: add reusable secrets-scan workflow + template --- .github/workflows/secrets-scan.yaml | 78 +++++++++++++++++++ .../secrets-scan.properties.json | 7 ++ workflow-templates/secrets-scan.yaml | 21 +++++ 3 files changed, 106 insertions(+) create mode 100644 .github/workflows/secrets-scan.yaml create mode 100644 workflow-templates/secrets-scan.properties.json create mode 100644 workflow-templates/secrets-scan.yaml diff --git a/.github/workflows/secrets-scan.yaml b/.github/workflows/secrets-scan.yaml new file mode 100644 index 0000000..484dfb5 --- /dev/null +++ b/.github/workflows/secrets-scan.yaml @@ -0,0 +1,78 @@ +name: Secrets scan + +# Reusable secrets-scan workflow for DVSA repositories. +# Standardised on awslabs/git-secrets with the AWS provider patterns — +# matches the convention used across DVSA (MOT, CVS, RSP, theory-test, …). +# +# Invoke from a repo via: +# jobs: +# secrets: +# uses: dvsa/.github/.github/workflows/secrets-scan.yaml@main + +on: + workflow_call: + inputs: + fail-on-detection: + description: Fail the job when leaks are found. + type: boolean + default: true + scan-history: + description: Also run `git secrets --scan-history` (full git log). Slower; off by default for PR runs. + type: boolean + default: false + +permissions: + contents: read + pull-requests: read + +jobs: + git-secrets: + name: git-secrets + runs-on: ubuntu-latest + steps: + - name: Checkout (full history) + uses: actions/checkout@v6 + with: + fetch-depth: 0 + + - name: Install git-secrets + run: | + set -euo pipefail + tmp="$(mktemp -d)" + git clone --quiet --depth 1 https://github.com/awslabs/git-secrets "$tmp" + sudo make -C "$tmp" install >/dev/null + git secrets --version || git --exec-path + # Register canonical AWS patterns into the workspace's repo config. + git secrets --register-aws + + - name: Scan working tree + id: scan-tree + continue-on-error: ${{ !inputs.fail-on-detection }} + run: | + set +e + out="$(git secrets --scan -r 2>&1)" + rc=$? + if [ -n "$out" ]; then + printf '%s\n' "$out" + fi + if [ $rc -ne 0 ]; then + echo + echo "::error::git-secrets found potential secrets in the working tree." + fi + exit $rc + + - name: Scan full history + if: ${{ inputs.scan-history }} + continue-on-error: ${{ !inputs.fail-on-detection }} + run: | + set +e + out="$(git secrets --scan-history 2>&1)" + rc=$? + if [ -n "$out" ]; then + printf '%s\n' "$out" + fi + if [ $rc -ne 0 ]; then + echo + echo "::error::git-secrets found potential secrets in repository history." + fi + exit $rc diff --git a/workflow-templates/secrets-scan.properties.json b/workflow-templates/secrets-scan.properties.json new file mode 100644 index 0000000..54b12c3 --- /dev/null +++ b/workflow-templates/secrets-scan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Secrets scan (git-secrets)", + "description": "Scan the repository for committed secrets using awslabs/git-secrets with the canonical AWS pattern set. Calls the shared dvsa/.github reusable workflow.", + "iconName": "octicon shield-lock", + "categories": ["Security"], + "filePatterns": [".*"] +} diff --git a/workflow-templates/secrets-scan.yaml b/workflow-templates/secrets-scan.yaml new file mode 100644 index 0000000..44e4e79 --- /dev/null +++ b/workflow-templates/secrets-scan.yaml @@ -0,0 +1,21 @@ +name: Secrets scan + +on: + pull_request: + push: + branches: [main, master] + schedule: + # Weekly on Monday at 00:00 UTC, matching workflow-templates/php-security.yml. + - cron: 0 0 * * 1 + workflow_dispatch: + +permissions: + contents: read + pull-requests: read + +jobs: + secrets: + uses: dvsa/.github/.github/workflows/secrets-scan.yaml@main + with: + # Run a full-history scan on the weekly cron only (fast on PRs). + scan-history: ${{ github.event_name == 'schedule' }}