search

secret-scanner / action

GitHub Action that wraps Yelp/detect-secrets and provides an enterprise friendly way of detecting and preventing secrets in code.
MIT License
4 stars 9 forks source link
devsecops secrets-detection secrets-scanner

readme

Secret Scanner

The Problem

People will sometimes commit secrets to a GitHub repository

How it works

Uses Yelp/detect-secrets to look for newly committed secrets. If it finds any potential secrets, it will:

How to use it

Installation

First, create a .secrets.baseline in the repo you want to add this action to. For more details on what this file represents, visit the README for Yelp/detect-secrets:

cd PATH_TO_REPOSITORY
pip install detect-secrets[gibberish]==1.2.0
detect-secrets scan > .secrets.baseline
detect-secrets audit .secrets.baseline

Second, add this GitHub action to your workflow or create a new one. A basic workflow would be:

# File: .github/workflows/detect-new-secrets.yml
name: Checking for Secrets
on: push
jobs:
  check-secrets:
    name: Checking for Secrets
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repo
        uses: actions/checkout@v3
      - name: Secret Scanner
        uses: secret-scanner/action@0.0.2

Ignoring false positives

Often you might have strings that the secret scanner determines are secrets, but are actually harmless. Examples of these might be:

  1. Docker tags
  2. Git commit SHA's
  3. Randomly generated base64 strings

For these cases, it is useful to ignore certain files, lines, or "secrets". You can do this using the files:

While the path defaults to .github/actions/secret-scanner, you can change this with the input exclude_files_path. Blank lines and lines starting with # will be ignored.

How to use excluded_files.patterns

On each line, write the regex for the path to the file to ignore. For example:

# File: .github/actions/secret-scanner/excluded_files.patterns
# Lines starting with the char '#' are ignored
.*-sealed\.json$
\.github/actions/spelling/

will exclude files ending in -sealed.json and everything in the .github/actions/spelling folder

How to use excluded_secrets.patterns

On each line write the regex for a secret you wish to ignore. For example:

# File: .github/actions/secret-scanner/excluded_secrets.patterns
^SHA256:[A-Fa-f0-9]{64}

How to use excluded_lines.patterns

On each line write the regex for a line you with to ignore. For example:

# File: .github/actions/secret-scanner/excluded_lines.patterns
^\s+with\s+imageTag\s*=.*$

will exclude the line with imageTag = <ANY_STRING>

How to do more advanced exclusions

You can also pass arguments to detect-secrets directly by using detect-secret-additional-args. For information on the arguments that you can pass, visit Yelp/detect-secrets#filters. For example:

name: Checking for Secrets
on: push
env:
  SCANNER_ARGS: |
      --exclude-files \.github/actions/spelling/.*
      --exclude-lines ^\s+with\s+imageTag\s*=.*$
jobs:
  check-secrets:
    name: Checking for Secrets
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Configuration
        uses: actions/checkout@v3
      - name: Secret Scanner
        uses: secret-scanner/action@0.0.2
        with:
          detect_secret_additional_args: ${{ env.SCANNER_ARGS }}

This will ignore everything in .github/actions/spelling/*, and any line that matches the regex ^\s+with\s+imageTag\s*=.*$.

Inputs

Input Description Required default value
detect_secrets_version The version of Yelp/detect-secrets to use no 1.2.0
detect_secret_additional_args Extra arguments to pass to the detect-secret binary when it is looking for secrets no No additional arguments (empty string)
baseline_file A path to the baseline secrets file no .secrets.baseline
python_version The version of python to use no 3.10.4
exclude_files_path A path to the files containing things to exclude no .github/actions/secret-scanner