refined rule for ripple key for false positive resolution #20

Workflow file for this run

.github/workflows/issues-notification.yml at ddb0b95

	name: Notification with issues

	on:
	push:
	branches:
	- "**"
	pull_request:
	branches:
	- "**"
	workflow_dispatch:

	jobs:
	gitleaks:
	name: Gitleaks Scan
	runs-on: ubuntu-latest

	permissions:
	contents: read
	issues: write
	pull-requests: write

	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Run Gitleaks
	id: gitleaks
	uses: gitleaks/gitleaks-action@v2
	with:
	config: .gitleaks.toml
	continue-on-error: true

	# -----------------------------
	# PR comment (if PR triggered)
	# -----------------------------
	- name: Comment on PR if secrets detected
	if: github.event_name == 'pull_request' && steps.gitleaks.outcome == 'failure'
	uses: actions/github-script@v7
	with:
	script: \|
	await github.rest.issues.createComment({
	issue_number: context.issue.number,
	owner: context.repo.owner,
	repo: context.repo.repo,
	body: `
	Gitleaks Alert – Secrets Detected

	@${context.actor} @${context.repo.owner}

	Gitleaks has detected secrets in this pull request.

	Repository: ${context.repo.owner}/${context.repo.repo}
	PR: #${context.issue.number}
	Commit: ${context.sha}

	Please remove the secret immediately and rotate any exposed credentials.
	`
	});

	- name: Create GitHub Issue for secrets
	if: steps.gitleaks.outcome == 'failure'
	uses: actions/github-script@v7
	with:
	script: \|
	const title = 'Secrets detected by Gitleaks';

	const body = `
	Gitleaks Secret Detection Alert

	@${context.actor} @${context.repo.owner}

	Secrets were detected in the repository.

	Repository: ${context.repo.owner}/${context.repo.repo}
	Branch: ${context.ref.replace('refs/heads/', '')}
	Commit: ${context.sha}
	Triggered by: ${context.actor}

	Action required:
	- Remove the secret from the codebase
	- Rotate the exposed credentials immediately

	---
	_This issue was automatically created by github-actions[bot]._
	`;

	const { data: issues } = await github.rest.issues.listForRepo({
	owner: context.repo.owner,
	repo: context.repo.repo,
	state: 'open',
	labels: 'security,gitleaks'
	});

	const existingIssue = issues.find(issue => issue.title === title);

	if (!existingIssue) {
	await github.rest.issues.create({
	owner: context.repo.owner,
	repo: context.repo.repo,
	title,
	body,
	labels: ['security', 'gitleaks', 'automated']
	});
	} else {
	await github.rest.issues.createComment({
	issue_number: existingIssue.number,
	owner: context.repo.owner,
	repo: context.repo.repo,
	body: `
	New secret detected

	Commit: ${context.sha}
	Triggered by: @${context.actor}
	`
	});
	}

	- name: Fail workflow if secrets detected
	if: steps.gitleaks.outcome == 'failure'
	run: exit 1

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

refined rule for ripple key for false positive resolution #20

Workflow file

refined rule for ripple key for false positive resolution #20

Uh oh!

Workflow file for this run