Importing JosiahSiegel GHA: runleaks@v1.3

[devopsmatt]

Profile: JosiahSiegel Objective: Leverages git-secrets to identify potential leaks in GitHub action run logs. Common Azure and Google Cloud patterns are available, thanks to fork msalemcode/git-secrets.

Target: runleaks@v1.3 : 4dd30d1

The runleaks GitHub Action is designed to enhance security by scanning GitHub Actions run logs for potential leaks of sensitive information, such as secrets or credentials. It leverages the git-secrets tool to identify patterns that may indicate the exposure of confidential data.

Key Features:

• Comprehensive Log Scanning: Analyzes run logs to detect patterns associated with sensitive information leaks.
• Customizable Patterns and Exclusions: Allows users to define specific patterns to search for and exclude, tailoring the scan to the project's unique requirements.
• Flexible Configuration: Offers parameters to control the scope of the scan, including the number of runs to examine and the age range of runs to consider.
• Action Failure on Leak Detection: Provides an option to fail the action if a leak is detected, enabling immediate response to potential security issues.

Inputs:

• github-token (required): Token used to authenticate with GitHub.
• repo (optional): Repository to scan; defaults to the current repository.
• run-limit (optional): Number of workflow runs to scan; default is 50.
• min-days-old (optional): Minimum age of runs in days to consider; default is 0.
• max-days-old (optional): Maximum age of runs in days to consider; default is 3.
• patterns-path (optional): Path to the file containing patterns to detect; default is .runleaks/patterns.txt.
• exclusions-path (optional): Path to the file containing patterns to exclude; default is .runleaks/exclusions.txt.
• fail-on-leak (optional): Determines if the action should fail upon detecting a leak; default is true.

Outputs:

• exceptions: JSON output of run logs with detected exceptions.
• count: Count of detected exceptions.

Technical Evaluation:

The action operates by performing the following steps:

1. Repository Checkout: Uses actions/checkout@v3 to access the repository.
2. Log Retrieval: Fetches the specified number of workflow runs within the defined date range.
3. Log Analysis: Downloads and scans the logs of these runs using git-secrets with the provided patterns and exclusions.
4. Leak Detection: Identifies and reports any detected leaks, outputting the results in JSON format and providing a count of exceptions.

Usage Example:

- name: Checkout
  uses: actions/checkout@v3

- name: Scan run logs
  uses: josiahsiegel/runleaks@v1
  id: scan
  with:
    github-token: ${{ secrets.GITHUB_TOKEN }}
    run-limit: 500
    fail-on-leak: false

- name: Get scan exceptions
  if: steps.scan.outputs.count > 0
  run: echo "${{ steps.scan.outputs.exceptions }}"

Relevance to Your Pipeline:

If your pipeline processes sensitive information or if there's a risk of secrets being exposed in logs, the runleaks action is crucial. It helps in proactively identifying and mitigating potential security risks by scanning logs for unintended disclosures. Implementing this action can enhance your security posture by ensuring that confidential data is not inadvertently exposed through workflow logs.

Conclusion:

The runleaks GitHub Action provides a valuable security measure by detecting potential leaks of sensitive information in workflow run logs. Its implementation can help maintain the confidentiality and integrity of your project's data. Given its focus on security, integrating this action into your pipeline is advisable to safeguard against unintended information exposure.

[emvaldes]

Initially, @devopsmatt created this story to kick the process for importing these three GitHub Actions. I have now created a single Epic so that we can track these three GHA independently in the event of having to span it across multiple sprints.

Note: This specific Story is focused only in the importing JosiahSiegel GHA "runleaks".

[emvaldes]

devops: prime-reportstream (importing-gha %) $ git add .github/actions/runleaks ; devops: prime-reportstream (importing-gha +%) $ git commit -m "Importing JosiahSiegel's runleaks GitHub Action" ; [importing-gha 2e5d21958] Importing JosiahSiegel's runleaks GitHub Action 11 files changed, 567 insertions(+) create mode 100644 .github/actions/runleaks/.github/dependabot.yml create mode 100644 .github/actions/runleaks/.github/runleaks/exclusions.txt create mode 100644 .github/actions/runleaks/.github/runleaks/patterns.txt create mode 100644 .github/actions/runleaks/.github/runleaks/patterns_force_failure.txt create mode 100644 .github/actions/runleaks/.github/workflows/main.yml create mode 100644 .github/actions/runleaks/.github/workflows/scan_public.yml create mode 100644 .github/actions/runleaks/Dockerfile create mode 100644 .github/actions/runleaks/LICENSE create mode 100644 .github/actions/runleaks/README.md create mode 100644 .github/actions/runleaks/action.yml create mode 100644 .github/actions/runleaks/lib/scan.sh

[emvaldes]

This external repo is now inserted in the file structure at: .github/actions/runleaks in the importing-gha branch.

[emvaldes]

$GITHUB_ENV

env.REPOS

fromJson(needs.pre_job.outputs.repos)

github.event.inputs.repos
github.repository

inputs.exclusions-path
inputs.fail-on-leak
inputs.github-token
inputs.max-days-old
inputs.min-days-old
inputs.patterns-path
inputs.repo
inputs.run-limit

matrix.repo

secrets.GITHUB_TOKEN
secrets.MY_TOKEN

steps.random.outputs.repo
steps.scan.outputs.count
steps.scan.outputs.exceptions

[emvaldes]

This GitHub Action (targeted to be imported as a remote/external) is no longer in consideration until we can further evaluate if they are worth the effort to be imported at a later stage.

Warning: I have placed it into the "IceBox" stage as it is out of scope for now.