feat: added scanning secrets in github actions and email notifications

vvyas123 · vvyas123 · commit d4f21d3f1758 · 2026-01-30T00:25:35.000+05:30
diff --git a/.github/workflows/email-notification.yml b/.github/workflows/email-notification.yml
@@ -0,0 +1,53 @@
+name: Gitleaks Secret Scan
+
+on:
+  push:
+    branches: ["**"]
+  pull_request:
+    branches: ["**"]
+  workflow_dispatch:
+
+jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run Gitleaks
+        id: gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        with:
+          config: .gitleaks.toml
+        continue-on-error: true
+
+      - name: Comment on PR if secrets detected
+        if: github.event_name == 'pull_request' && steps.gitleaks.outcome == 'failure'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            await github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: `
+             **Gitleaks Alert – Secrets Detected**
+
+            @${context.actor} @${context.repo.owner}
+
+            Secrets were detected in this pull request.
+            Please remove them and rotate credentials immediately.
+
+            **Commit:** ${context.sha}
+            `
+            });
+
+      - name: Fail workflow if secrets detected
+        if: steps.gitleaks.outcome == 'failure'
+        run: exit 1
diff --git a/.github/workflows/gitleaks-new.yml b/.github/workflows/gitleaks-new.yml
@@ -0,0 +1,32 @@
+name: Gitleaks
+
+on:
+  push:
+    branches:
+      - "**"
+  pull_request:
+    branches:
+      - "**"
+  workflow_dispatch:
+
+jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      pull-requests: read
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run Gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          config: .gitleaks.toml
+
diff --git a/.github/workflows/issues-notification.yml b/.github/workflows/issues-notification.yml
@@ -0,0 +1,122 @@
+name: Notification with issues
+
+on:
+  push:
+    branches:
+      - "**"
+  pull_request:
+    branches:
+      - "**"
+  workflow_dispatch:
+
+jobs:
+  gitleaks:
+    name: Gitleaks Scan
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run Gitleaks
+        id: gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        with:
+          config: .gitleaks.toml
+        continue-on-error: true
+
+      # -----------------------------
+      # PR comment (if PR triggered)
+      # -----------------------------
+      - name: Comment on PR if secrets detected
+        if: github.event_name == 'pull_request' && steps.gitleaks.outcome == 'failure'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            await github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: `
+            **Gitleaks Alert – Secrets Detected**
+
+            @${context.actor} @${context.repo.owner}
+
+            Gitleaks has detected secrets in this pull request.
+
+            **Repository:** ${context.repo.owner}/${context.repo.repo}
+            **PR:** #${context.issue.number}
+            **Commit:** ${context.sha}
+
+            Please remove the secret immediately and rotate any exposed credentials.
+            `
+            });
+
+      - name: Create GitHub Issue for secrets
+        if: steps.gitleaks.outcome == 'failure'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const title = 'Secrets detected by Gitleaks';
+
+            const body = `
+            **Gitleaks Secret Detection Alert**
+
+            @${context.actor} @${context.repo.owner}
+
+            Secrets were detected in the repository.
+
+            **Repository:** ${context.repo.owner}/${context.repo.repo}
+            **Branch:** ${context.ref.replace('refs/heads/', '')}
+            **Commit:** ${context.sha}
+            **Triggered by:** ${context.actor}
+
+            Action required:
+            - Remove the secret from the codebase
+            - Rotate the exposed credentials immediately
+
+            ---
+            _This issue was automatically created by github-actions[bot]._
+            `;
+
+            const { data: issues } = await github.rest.issues.listForRepo({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: 'open',
+              labels: 'security,gitleaks'
+            });
+
+            const existingIssue = issues.find(issue => issue.title === title);
+
+            if (!existingIssue) {
+              await github.rest.issues.create({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                title,
+                body,
+                labels: ['security', 'gitleaks', 'automated']
+              });
+            } else {
+              await github.rest.issues.createComment({
+                issue_number: existingIssue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: `
+                New secret detected
+
+                **Commit:** ${context.sha}
+                **Triggered by:** @${context.actor}
+                `
+              });
+            }
+
+      - name: Fail workflow if secrets detected
+        if: steps.gitleaks.outcome == 'failure'
+        run: exit 1
