gitleaks/.github/workflows/issues-notification.yml at 286311a2767317f1d4199040cdf3ab0014ac1aae · SystangoTechnologies/gitleaks · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
name: Notification with issues

on:
  push:
    branches:
      - "**"
  pull_request:
    branches:
      - "**"
  workflow_dispatch:

jobs:
  gitleaks:
    name: Gitleaks Scan
    runs-on: ubuntu-latest

    permissions:
      contents: read
      issues: write
      pull-requests: write

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Run Gitleaks
        id: gitleaks
        uses: gitleaks/gitleaks-action@v2
        with:
          config: .gitleaks.toml
        continue-on-error: true

      # -----------------------------
      # PR comment (if PR triggered)
      # -----------------------------
      - name: Comment on PR if secrets detected
        if: github.event_name == 'pull_request' && steps.gitleaks.outcome == 'failure'
        uses: actions/github-script@v7
        with:
          script: |
            await github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: `
            **Gitleaks Alert – Secrets Detected**

            @${context.actor} @${context.repo.owner}

            Gitleaks has detected secrets in this pull request.

            **Repository:** ${context.repo.owner}/${context.repo.repo}
            **PR:** #${context.issue.number}
            **Commit:** ${context.sha}

            Please remove the secret immediately and rotate any exposed credentials.
            `
            });

      - name: Create GitHub Issue for secrets
        if: steps.gitleaks.outcome == 'failure'
        uses: actions/github-script@v7
        with:
          script: |
            const title = 'Secrets detected by Gitleaks';

            const body = `
            **Gitleaks Secret Detection Alert**

            @${context.actor} @${context.repo.owner}

            Secrets were detected in the repository.

            **Repository:** ${context.repo.owner}/${context.repo.repo}
            **Branch:** ${context.ref.replace('refs/heads/', '')}
            **Commit:** ${context.sha}
            **Triggered by:** ${context.actor}

            Action required:
            - Remove the secret from the codebase
            - Rotate the exposed credentials immediately

            ---
            _This issue was automatically created by github-actions[bot]._
            `;

            const { data: issues } = await github.rest.issues.listForRepo({
              owner: context.repo.owner,
              repo: context.repo.repo,
              state: 'open',
              labels: 'security,gitleaks'
            });

            const existingIssue = issues.find(issue => issue.title === title);

            if (!existingIssue) {
              await github.rest.issues.create({
                owner: context.repo.owner,
                repo: context.repo.repo,
                title,
                body,
                labels: ['security', 'gitleaks', 'automated']
              });
            } else {
              await github.rest.issues.createComment({
                issue_number: existingIssue.number,
                owner: context.repo.owner,
                repo: context.repo.repo,
                body: `
                New secret detected

                **Commit:** ${context.sha}
                **Triggered by:** @${context.actor}
                `
              });
            }

      - name: Fail workflow if secrets detected
        if: steps.gitleaks.outcome == 'failure'
        run: exit 1