feat: add reusable secrets-scan workflow + template

.github/workflows/secrets-scan.yaml

@@ -0,0 +1,78 @@
+name: Secrets scan
+
+# Reusable secrets-scan workflow for DVSA repositories.
+# Standardised on awslabs/git-secrets with the AWS provider patterns —
+# matches the convention used across DVSA (MOT, CVS, RSP, theory-test, …).
+#
+# Invoke from a repo via:
+#   jobs:
+#     secrets:
+#       uses: dvsa/.github/.github/workflows/secrets-scan.yaml@main
+
+on:
+  workflow_call:
+    inputs:
+      fail-on-detection:
+        description: Fail the job when leaks are found.
+        type: boolean
+        default: true
+      scan-history:
+        description: Also run `git secrets --scan-history` (full git log). Slower; off by default for PR runs.
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  git-secrets:
+    name: git-secrets
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout (full history)
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Install git-secrets
+        run: |
+          set -euo pipefail
+          tmp="$(mktemp -d)"
+          git clone --quiet --depth 1 https://github.com/awslabs/git-secrets "$tmp"
+          sudo make -C "$tmp" install >/dev/null
+          git secrets --version || git --exec-path
+          # Register canonical AWS patterns into the workspace's repo config.
+          git secrets --register-aws
+
+      - name: Scan working tree
+        id: scan-tree
+        continue-on-error: ${{ !inputs.fail-on-detection }}
+        run: |
+          set +e
+          out="$(git secrets --scan -r 2>&1)"
+          rc=$?
+          if [ -n "$out" ]; then
+            printf '%s\n' "$out"
+          fi
+          if [ $rc -ne 0 ]; then
+            echo
+            echo "::error::git-secrets found potential secrets in the working tree."
+          fi
+          exit $rc
+
+      - name: Scan full history
+        if: ${{ inputs.scan-history }}
+        continue-on-error: ${{ !inputs.fail-on-detection }}
+        run: |
+          set +e
+          out="$(git secrets --scan-history 2>&1)"
+          rc=$?
+          if [ -n "$out" ]; then
+            printf '%s\n' "$out"
+          fi
+          if [ $rc -ne 0 ]; then
+            echo
+            echo "::error::git-secrets found potential secrets in repository history."
+          fi
+          exit $rc

workflow-templates/secrets-scan.properties.json

@@ -0,0 +1,7 @@
+{
+  "name": "Secrets scan (git-secrets)",
+  "description": "Scan the repository for committed secrets using awslabs/git-secrets with the canonical AWS pattern set. Calls the shared dvsa/.github reusable workflow.",
+  "iconName": "octicon shield-lock",
+  "categories": ["Security"],
+  "filePatterns": [".*"]
+}

workflow-templates/secrets-scan.yaml

@@ -0,0 +1,21 @@
+name: Secrets scan
+
+on:
+  pull_request:
+  push:
+    branches: [main, master]
+  schedule:
+    # Weekly on Monday at 00:00 UTC, matching workflow-templates/php-security.yml.
+    - cron: 0 0 * * 1
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  secrets:
+    uses: dvsa/.github/.github/workflows/secrets-scan.yaml@main
+    with:
+      # Run a full-history scan on the weekly cron only (fast on PRs).
+      scan-history: ${{ github.event_name == 'schedule' }}