search

advanced-security / secret-scanning-review-action

Action to detect if a secret is initially detected in a PR commit
MIT License
9 stars 3 forks source link

Option to run the secret scanning on a branch #19

Open writemevm opened 2 months ago

writemevm commented 2 months ago

Option to run the secret scanning on a branch. Is it possible to run this action against a branch instead of PR ?

felickz commented 2 months ago

Not currently:

https://github.com/advanced-security/secret-scanning-review-action/blob/690e7319b8272fa9e883bc311fe7ec5d4c6432b1/action.ps1#L126-L133

The initial idea of the action was to provide additional information in code review on secrets locations introduced on the PR. How would you envision this working for branch based detection? The list of secrets that are present on a branch may be exhaustive (as is git history). One viable solution might be to use a base/head compare to show which secrets are newly detected compared to the base. This would echo how the dependency-review-action behaves as well: https://github.com/actions/dependency-review-action/blob/0659a74c94536054bfa5aeb92241f70d680cc78e/action.yml#L25-L30

The base git ref to be used for this check. Has a default value when the workflow event is pull_request or pull_request_target. Must be provided otherwise.