Update secret-scan-gitleaks.yml

Signed-off-by: LUIZ HAMILTON ROBERTO DA SILVA <[email protected]>

Author: brazilianscriptguy

.github/workflows/secret-scan-gitleaks.yml

@@ -28,21 +28,42 @@ jobs:
       OUT_SARIF: "gitleaks.sarif"
       OUT_JSON: "gitleaks.json"
       OUT_LOG: "gitleaks.log"
+      OUT_MD: "gitleaks-report.md"
       CONFIG_FILE: ".gitleaks.toml"
 
     steps:
       - name: Checkout (PR-fast / Main-full)
         uses: actions/checkout@v4
         with:
-          # PR: shallow is fine (fast). Main push: full history for maximum coverage.
           fetch-depth: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && 0 || 2 }}
 
-      - name: Ensure output folder exists
+      - name: Ensure output folder exists + baselines
         shell: bash
         run: |
           set -euo pipefail
           mkdir -p "${OUT_DIR}"
 
+          # Always create JSON baseline (empty array)
+          echo "[]" > "${OUT_DIR}/${OUT_JSON}"
+
+          # Always create SARIF baseline
+          cat > "${OUT_DIR}/${OUT_SARIF}" << 'EOF'
+          {
+            "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+            "version": "2.1.0",
+            "runs": [
+              { "tool": { "driver": { "name": "gitleaks", "version": "0" } }, "results": [] }
+            ]
+          }
+          EOF
+
+          # Always create MD baseline
+          cat > "${OUT_DIR}/${OUT_MD}" << 'EOF'
+          # Gitleaks Secret Scan (Report-Only)
+
+          Status: Not executed yet.
+          EOF
+
       - name: Install Gitleaks (pinned)
         shell: bash
         run: |
@@ -57,18 +78,16 @@ jobs:
         if: always()
         shell: bash
         run: |
-          # Report-only: never fail the job
           set +e
 
           CFG=()
           if [ -f "${CONFIG_FILE}" ]; then
             CFG=(--config="${CONFIG_FILE}")
           fi
 
-          # PR: scan working tree only (no history) to keep it fast.
-          # Main push: full history (because fetch-depth=0).
           EXTRA=()
           if [ "${{ github.event_name }}" = "pull_request" ]; then
+            # PR-fast: scan working tree only (no git history)
             EXTRA=(--no-git)
           fi
 
@@ -81,14 +100,42 @@ jobs:
             --report-path="${OUT_DIR}/${OUT_JSON}" \
             2>&1 | tee "${OUT_DIR}/${OUT_LOG}"
 
-          # Convert JSON -> SARIF (no re-scan)
+          exit 0
+
+      - name: Build SARIF + Markdown report (from JSON/log)
+        if: always()
+        shell: bash
+        run: |
+          set -euo pipefail
           python3 - << 'PY'
-          import json, os, sys
-          out_dir = os.environ["OUT_DIR"]
+          import json, os, re
+
+          out_dir   = os.environ["OUT_DIR"]
           json_path = os.path.join(out_dir, os.environ["OUT_JSON"])
-          sarif_path = os.path.join(out_dir, os.environ["OUT_SARIF"])
-          ver = os.environ.get("GITLEAKS_VERSION","0")
+          sarif_path= os.path.join(out_dir, os.environ["OUT_SARIF"])
+          log_path  = os.path.join(out_dir, os.environ["OUT_LOG"])
+          md_path   = os.path.join(out_dir, os.environ["OUT_MD"])
+          ver       = os.environ.get("GITLEAKS_VERSION","0")
 
+          # Read log (for error context)
+          log_text = ""
+          try:
+            with open(log_path, "r", encoding="utf-8", errors="replace") as f:
+              log_text = f.read()
+          except Exception:
+            pass
+
+          # Load findings JSON (fallback to empty list)
+          findings = []
+          try:
+            with open(json_path, "r", encoding="utf-8") as f:
+              data = json.load(f)
+              if isinstance(data, list):
+                findings = data
+          except Exception:
+            findings = []
+
+          # --- SARIF ---
           sarif = {
             "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
             "version": "2.1.0",
@@ -98,44 +145,68 @@ jobs:
             }]
           }
 
-          try:
-            with open(json_path, "r", encoding="utf-8") as f:
-              data = json.load(f)
-          except Exception:
-            with open(sarif_path, "w", encoding="utf-8") as f:
-              json.dump(sarif, f, ensure_ascii=False, indent=2)
-            sys.exit(0)
-
-          if isinstance(data, list):
-            for item in data:
-              file_path = item.get("File") or item.get("file") or item.get("Path") or ""
-              start_line = item.get("StartLine") or item.get("startLine") or item.get("Line") or item.get("line") or 1
-              rule_id = item.get("RuleID") or item.get("ruleID") or item.get("Rule") or "gitleaks"
-              desc = item.get("Description") or item.get("description") or "Potential secret detected"
-              msg = f"{desc} (rule: {rule_id})"
-
-              try:
-                start_line = int(start_line)
-              except Exception:
-                start_line = 1
-
-              sarif["runs"][0]["results"].append({
-                "ruleId": str(rule_id),
-                "level": "error",
-                "message": {"text": msg},
-                "locations": [{
-                  "physicalLocation": {
-                    "artifactLocation": {"uri": file_path},
-                    "region": {"startLine": start_line}
-                  }
-                }]
-              })
+          def pick(d, *keys, default=None):
+            for k in keys:
+              if k in d and d[k] is not None:
+                return d[k]
+            return default
+
+          for item in findings:
+            file_path  = pick(item, "File", "file", "Path", "path", default="")
+            start_line = pick(item, "StartLine", "startLine", "Line", "line", default=1)
+            rule_id    = pick(item, "RuleID", "ruleID", "Rule", "rule", default="gitleaks")
+            desc       = pick(item, "Description", "description", default="Potential secret detected")
+
+            try:
+              start_line = int(start_line)
+            except Exception:
+              start_line = 1
+
+            sarif["runs"][0]["results"].append({
+              "ruleId": str(rule_id),
+              "level": "error",
+              "message": {"text": f"{desc} (rule: {rule_id})"},
+              "locations": [{
+                "physicalLocation": {
+                  "artifactLocation": {"uri": file_path},
+                  "region": {"startLine": start_line}
+                }
+              }]
+            })
 
           with open(sarif_path, "w", encoding="utf-8") as f:
             json.dump(sarif, f, ensure_ascii=False, indent=2)
-          PY
 
-          exit 0
+          # --- Markdown report ---
+          status = "OK"
+          # Detect config failure or fatal error in log
+          if re.search(r"\bFTL\b|\bFailed to load config\b", log_text, re.IGNORECASE):
+            status = "ERROR (see log)"
+
+          md = []
+          md.append("# Gitleaks Secret Scan (Report-Only)")
+          md.append("")
+          md.append(f"**Status:** {status}")
+          md.append(f"**Mode:** {'PR-fast (working tree only)' if os.environ.get('GITHUB_EVENT_NAME','')=='pull_request' else 'Main (full history)'}")
+          md.append(f"**Findings:** {len(findings)}")
+          md.append("")
+          if len(findings) == 0:
+            md.append("No secrets detected (or scan produced no findings).")
+          else:
+            # Top rule counts
+            counts = {}
+            for x in findings:
+              rid = pick(x, "RuleID", "ruleID", "Rule", "rule", default="gitleaks")
+              counts[rid] = counts.get(rid, 0) + 1
+            md.append("## Top Rules")
+            for rid, c in sorted(counts.items(), key=lambda kv: kv[1], reverse=True)[:15]:
+              md.append(f"- `{rid}`: {c}")
+          md.append("")
+          md.append("> Artifacts: `gitleaks.json`, `gitleaks.sarif`, `gitleaks.log`")
+
+          with open(md_path, "w", encoding="utf-8") as f:
+            f.write("\n".join(md) + "\n")
+          PY
 
       - name: Upload artifacts (reports)
         if: always()