From d4f21d3f17586a244b687a24c8bc1a8efb910875 Mon Sep 17 00:00:00 2001 From: virendra vyas Date: Fri, 30 Jan 2026 00:25:35 +0530 Subject: [PATCH] feat: added scanning secrets in github actions and email notifications --- .github/workflows/email-notification.yml | 53 ++++++++++ .github/workflows/gitleaks-new.yml | 32 ++++++ .github/workflows/issues-notification.yml | 122 ++++++++++++++++++++++ 3 files changed, 207 insertions(+) create mode 100644 .github/workflows/email-notification.yml create mode 100644 .github/workflows/gitleaks-new.yml create mode 100644 .github/workflows/issues-notification.yml diff --git a/.github/workflows/email-notification.yml b/.github/workflows/email-notification.yml new file mode 100644 index 000000000..4836dfb47 --- /dev/null +++ b/.github/workflows/email-notification.yml @@ -0,0 +1,53 @@ +name: Gitleaks Secret Scan + +on: + push: + branches: ["**"] + pull_request: + branches: ["**"] + workflow_dispatch: + +jobs: + gitleaks: + runs-on: ubuntu-latest + + permissions: + contents: read + pull-requests: write + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Run Gitleaks + id: gitleaks + uses: gitleaks/gitleaks-action@v2 + with: + config: .gitleaks.toml + continue-on-error: true + + - name: Comment on PR if secrets detected + if: github.event_name == 'pull_request' && steps.gitleaks.outcome == 'failure' + uses: actions/github-script@v7 + with: + script: | + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: ` + **Gitleaks Alert – Secrets Detected** + + @${context.actor} @${context.repo.owner} + + Secrets were detected in this pull request. + Please remove them and rotate credentials immediately. + + **Commit:** ${context.sha} + ` + }); + + - name: Fail workflow if secrets detected + if: steps.gitleaks.outcome == 'failure' + run: exit 1 diff --git a/.github/workflows/gitleaks-new.yml b/.github/workflows/gitleaks-new.yml new file mode 100644 index 000000000..3fa23b5be --- /dev/null +++ b/.github/workflows/gitleaks-new.yml @@ -0,0 +1,32 @@ +name: Gitleaks + +on: + push: + branches: + - "**" + pull_request: + branches: + - "**" + workflow_dispatch: + +jobs: + gitleaks: + runs-on: ubuntu-latest + + permissions: + contents: read + pull-requests: read + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Run Gitleaks + uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + config: .gitleaks.toml + diff --git a/.github/workflows/issues-notification.yml b/.github/workflows/issues-notification.yml new file mode 100644 index 000000000..b34d80988 --- /dev/null +++ b/.github/workflows/issues-notification.yml @@ -0,0 +1,122 @@ +name: Notification with issues + +on: + push: + branches: + - "**" + pull_request: + branches: + - "**" + workflow_dispatch: + +jobs: + gitleaks: + name: Gitleaks Scan + runs-on: ubuntu-latest + + permissions: + contents: read + issues: write + pull-requests: write + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Run Gitleaks + id: gitleaks + uses: gitleaks/gitleaks-action@v2 + with: + config: .gitleaks.toml + continue-on-error: true + + # ----------------------------- + # PR comment (if PR triggered) + # ----------------------------- + - name: Comment on PR if secrets detected + if: github.event_name == 'pull_request' && steps.gitleaks.outcome == 'failure' + uses: actions/github-script@v7 + with: + script: | + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: ` + **Gitleaks Alert – Secrets Detected** + + @${context.actor} @${context.repo.owner} + + Gitleaks has detected secrets in this pull request. + + **Repository:** ${context.repo.owner}/${context.repo.repo} + **PR:** #${context.issue.number} + **Commit:** ${context.sha} + + Please remove the secret immediately and rotate any exposed credentials. + ` + }); + + - name: Create GitHub Issue for secrets + if: steps.gitleaks.outcome == 'failure' + uses: actions/github-script@v7 + with: + script: | + const title = 'Secrets detected by Gitleaks'; + + const body = ` + **Gitleaks Secret Detection Alert** + + @${context.actor} @${context.repo.owner} + + Secrets were detected in the repository. + + **Repository:** ${context.repo.owner}/${context.repo.repo} + **Branch:** ${context.ref.replace('refs/heads/', '')} + **Commit:** ${context.sha} + **Triggered by:** ${context.actor} + + Action required: + - Remove the secret from the codebase + - Rotate the exposed credentials immediately + + --- + _This issue was automatically created by github-actions[bot]._ + `; + + const { data: issues } = await github.rest.issues.listForRepo({ + owner: context.repo.owner, + repo: context.repo.repo, + state: 'open', + labels: 'security,gitleaks' + }); + + const existingIssue = issues.find(issue => issue.title === title); + + if (!existingIssue) { + await github.rest.issues.create({ + owner: context.repo.owner, + repo: context.repo.repo, + title, + body, + labels: ['security', 'gitleaks', 'automated'] + }); + } else { + await github.rest.issues.createComment({ + issue_number: existingIssue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: ` + New secret detected + + **Commit:** ${context.sha} + **Triggered by:** @${context.actor} + ` + }); + } + + - name: Fail workflow if secrets detected + if: steps.gitleaks.outcome == 'failure' + run: exit 1