Update secret-scan-gitleaks.yml

brazilianscriptguy · web-flow · commit 7ddfbeacdd7b · 2026-02-10T07:47:01.000-03:00
Signed-off-by: LUIZ HAMILTON ROBERTO DA SILVA &lt;luizhamilton.lhr@gmail.com&gt;
diff --git a/.github/workflows/secret-scan-gitleaks.yml b/.github/workflows/secret-scan-gitleaks.yml
@@ -35,6 +35,7 @@ jobs:
       - name: Checkout (PR-fast / Main-full)
         uses: actions/checkout@v4
         with:
+          # PR: shallow checkout for speed. Push to main: full history for maximum coverage.
           fetch-depth: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && 0 || 2 }}
 
       - name: Ensure output folder exists + baselines
@@ -78,6 +79,7 @@ jobs:
         if: always()
         shell: bash
         run: |
+          # Report-only: never fail the job
           set +e
 
           CFG=()
@@ -110,12 +112,12 @@ jobs:
           python3 - << 'PY'
           import json, os, re
 
-          out_dir   = os.environ["OUT_DIR"]
-          json_path = os.path.join(out_dir, os.environ["OUT_JSON"])
-          sarif_path= os.path.join(out_dir, os.environ["OUT_SARIF"])
-          log_path  = os.path.join(out_dir, os.environ["OUT_LOG"])
-          md_path   = os.path.join(out_dir, os.environ["OUT_MD"])
-          ver       = os.environ.get("GITLEAKS_VERSION","0")
+          out_dir    = os.environ["OUT_DIR"]
+          json_path  = os.path.join(out_dir, os.environ["OUT_JSON"])
+          sarif_path = os.path.join(out_dir, os.environ["OUT_SARIF"])
+          log_path   = os.path.join(out_dir, os.environ["OUT_LOG"])
+          md_path    = os.path.join(out_dir, os.environ["OUT_MD"])
+          ver        = os.environ.get("GITLEAKS_VERSION","0")
 
           # Read log (for error context)
           log_text = ""
@@ -179,35 +181,71 @@ jobs:
 
           # --- Markdown report ---
           status = "OK"
-          # Detect config failure or fatal error in log
           if re.search(r"\bFTL\b|\bFailed to load config\b", log_text, re.IGNORECASE):
             status = "ERROR (see log)"
 
+          mode = "Main (full history)"
+          if os.environ.get("GITHUB_EVENT_NAME","") == "pull_request":
+            mode = "PR-fast (working tree only)"
+
           md = []
           md.append("# Gitleaks Secret Scan (Report-Only)")
           md.append("")
           md.append(f"**Status:** {status}")
-          md.append(f"**Mode:** {'PR-fast (working tree only)' if os.environ.get('GITHUB_EVENT_NAME','')=='pull_request' else 'Main (full history)'}")
+          md.append(f"**Mode:** {mode}")
           md.append(f"**Findings:** {len(findings)}")
           md.append("")
           if len(findings) == 0:
             md.append("No secrets detected (or scan produced no findings).")
           else:
-            # Top rule counts
             counts = {}
             for x in findings:
               rid = pick(x, "RuleID", "ruleID", "Rule", "rule", default="gitleaks")
               counts[rid] = counts.get(rid, 0) + 1
+
             md.append("## Top Rules")
             for rid, c in sorted(counts.items(), key=lambda kv: kv[1], reverse=True)[:15]:
               md.append(f"- `{rid}`: {c}")
+
           md.append("")
-          md.append("> Artifacts: `gitleaks.json`, `gitleaks.sarif`, `gitleaks.log`")
+          md.append("> Artifacts: `gitleaks.json`, `gitleaks.sarif`, `gitleaks.log`, `gitleaks-report.md`")
 
           with open(md_path, "w", encoding="utf-8") as f:
             f.write("\n".join(md) + "\n")
           PY
 
+      - name: Publish report to Run Summary (View Runs)
+        if: always()
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          COUNT="$(python3 -c 'import json; import sys; print(len(json.load(open(sys.argv[1]))))' "${OUT_DIR}/${OUT_JSON}" 2>/dev/null || echo 0)"
+
+          {
+            echo "## 🔐 Gitleaks Secret Scan (Report-Only)"
+            echo ""
+            echo "**Workflow:** PR-fast / Main-full"
+            echo "**Event:** \`${{ github.event_name }}\`"
+            echo "**Ref:** \`${{ github.ref }}\`"
+            echo "**Findings:** ${COUNT}"
+            echo ""
+            echo "### Report"
+            echo ""
+            if [ -f "${OUT_DIR}/${OUT_MD}" ]; then
+              cat "${OUT_DIR}/${OUT_MD}"
+            else
+              echo "_No markdown report file found:_ \`${OUT_DIR}/${OUT_MD}\`"
+            fi
+            echo ""
+            echo "### Artifacts"
+            echo ""
+            echo "- \`${OUT_DIR}/${OUT_JSON}\`"
+            echo "- \`${OUT_DIR}/${OUT_SARIF}\`"
+            echo "- \`${OUT_DIR}/${OUT_LOG}\`"
+            echo "- \`${OUT_DIR}/${OUT_MD}\`"
+          } >> "$GITHUB_STEP_SUMMARY"
+
       - name: Upload artifacts (reports)
         if: always()
         uses: actions/upload-artifact@v4
