Update secret-scan-gitleaks.yml

Signed-off-by: LUIZ HAMILTON ROBERTO DA SILVA <[email protected]>

Author: brazilianscriptguy

.github/workflows/secret-scan-gitleaks.yml

@@ -3,14 +3,8 @@ name: Secret Scan (Gitleaks) [Report-Only]
 on:
   push:
     branches: [main, develop]
-    paths:
-      - "**/*"
-      - ".github/workflows/secret-scan-gitleaks.yml"
   pull_request:
     branches: [main, develop]
-    paths:
-      - "**/*"
-      - ".github/workflows/secret-scan-gitleaks.yml"
   workflow_dispatch:
 
 concurrency:
@@ -28,10 +22,12 @@ jobs:
     timeout-minutes: 15
 
     env:
-      OUT_DIR: "secret-scan-reports"
-      OUT_SARIF: "gitleaks.sarif"
-      OUT_JSON: "gitleaks.json"
-      OUT_LOG: "gitleaks.log"
+      GITLEAKS_VERSION: "8.30.0"
+      OUT_DIR: secret-scan-reports
+      OUT_SARIF: gitleaks.sarif
+      OUT_JSON: gitleaks.json
+      OUT_LOG: gitleaks.log
+      CONFIG_FILE: .gitleaks.toml
 
     steps:
       - name: Checkout (full history)
@@ -40,86 +36,56 @@ jobs:
           fetch-depth: 0
 
       - name: Ensure output folder exists
-        shell: bash
-        run: |
-          set -euo pipefail
-          mkdir -p "${OUT_DIR}"
+        run: mkdir -p "${{ env.OUT_DIR }}"
 
-      - name: Initialize SARIF baseline (always create file)
+      - name: Initialize empty SARIF baseline
         if: always()
-        shell: bash
         run: |
-          set -euo pipefail
-          cat > "${OUT_DIR}/${OUT_SARIF}" << 'EOF'
+          cat > "${{ env.OUT_DIR }}/${{ env.OUT_SARIF }}" << 'EOF'
           {
             "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
             "version": "2.1.0",
             "runs": [
-              {
-                "tool": { "driver": { "name": "gitleaks", "version": "0" } },
-                "results": []
-              }
+              { "tool": { "driver": { "name": "gitleaks", "version": "0" } }, "results": [] }
             ]
           }
           EOF
 
-      - name: Run Gitleaks (report-only)
-        if: always()
-        uses: gitleaks/gitleaks-action@v2
-        continue-on-error: true
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITLEAKS_ARGS: >-
-            detect
-            --source=.
-            --redact
-            --report-format=sarif
-            --report-path=${{ env.OUT_DIR }}/${{ env.OUT_SARIF }}
-            --report-path=${{ env.OUT_DIR }}/${{ env.OUT_SARIF }}
-
-      # NOTE:
-      # gitleaks-action focuses on SARIF; to also produce JSON/log reliably,
-      # we run a second invocation via the gitleaks binary (pinned) below.
-
       - name: Install Gitleaks (pinned)
         if: always()
-        shell: bash
         run: |
           set -euo pipefail
-          # Pinned version for repeatability
-          VER="8.21.2"
+          VER="${{ env.GITLEAKS_VERSION }}"
           curl -sSL -o /tmp/gitleaks.tar.gz "https://github.com/gitleaks/gitleaks/releases/download/v${VER}/gitleaks_${VER}_linux_x64.tar.gz"
           tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks
           sudo mv /tmp/gitleaks /usr/local/bin/gitleaks
           gitleaks version
 
-      - name: Run Gitleaks JSON + Log (report-only)
+      - name: Run Gitleaks (SARIF + JSON + Log) [Report-Only]
         if: always()
-        shell: bash
         run: |
-          set -euo pipefail
           set +e
 
-          gitleaks detect \
-            --source="." \
-            --redact \
-            --report-format="json" \
-            --report-path="${OUT_DIR}/${OUT_JSON}" \
-            2>&1 | tee "${OUT_DIR}/${OUT_LOG}"
+          CFG=""
+          if [ -f "${{ env.CONFIG_FILE }}" ]; then
+            CFG="--config=${{ env.CONFIG_FILE }}"
+          fi
 
-          # Never fail CI (report-only)
-          exit 0
+          # SARIF
+          gitleaks detect --source="." --redact $CFG \
+            --report-format=sarif \
+            --report-path="${{ env.OUT_DIR }}/${{ env.OUT_SARIF }}" \
+            2>&1 | tee "${{ env.OUT_DIR }}/${{ env.OUT_LOG }}"
 
-      - name: Pre-upload diagnostics
-        if: always()
-        shell: bash
-        run: |
-          set -euo pipefail
-          echo "Workspace: ${GITHUB_WORKSPACE}"
-          echo "OUT_DIR: ${OUT_DIR}"
-          ls -la "${OUT_DIR}" || true
+          # JSON (second report output; keep report-only)
+          gitleaks detect --source="." --redact $CFG \
+            --report-format=json \
+            --report-path="${{ env.OUT_DIR }}/${{ env.OUT_JSON }}" \
+            >/dev/null 2>&1
+
+          exit 0
 
-      - name: Upload secret scan artifacts (never fail if empty)
+      - name: Upload artifacts (reports)
         if: always()
         uses: actions/upload-artifact@v4
         with:
@@ -128,7 +94,7 @@ jobs:
           if-no-files-found: warn
           retention-days: 30
 
-      - name: Upload SARIF to GitHub Code Scanning (report-only)
+      - name: Upload SARIF to GitHub Code Scanning
         if: always() && hashFiles(format('{0}/{1}', env.OUT_DIR, env.OUT_SARIF)) != ''
         uses: github/codeql-action/upload-sarif@v4
         with: