Update secret-scan-gitleaks.yml

Signed-off-by: LUIZ HAMILTON ROBERTO DA SILVA <[email protected]>

Author: brazilianscriptguy

.github/workflows/secret-scan-gitleaks.yml

@@ -1,3 +1,4 @@
+# .github/workflows/secret-scan-gitleaks.yml
 name: Secret Scan (Gitleaks) [Report-Only]
 
 on:
@@ -23,11 +24,11 @@ jobs:
 
     env:
       GITLEAKS_VERSION: "8.30.0"
-      OUT_DIR: secret-scan-reports
-      OUT_SARIF: gitleaks.sarif
-      OUT_JSON: gitleaks.json
-      OUT_LOG: gitleaks.log
-      CONFIG_FILE: .gitleaks.toml
+      OUT_DIR: "secret-scan-reports"
+      OUT_SARIF: "gitleaks.sarif"
+      OUT_JSON: "gitleaks.json"
+      OUT_LOG: "gitleaks.log"
+      CONFIG_FILE: ".gitleaks.toml"
 
     steps:
       - name: Checkout (full history)
@@ -36,52 +37,95 @@ jobs:
           fetch-depth: 0
 
       - name: Ensure output folder exists
-        run: mkdir -p "${{ env.OUT_DIR }}"
-
-      - name: Initialize empty SARIF baseline
-        if: always()
+        shell: bash
         run: |
-          cat > "${{ env.OUT_DIR }}/${{ env.OUT_SARIF }}" << 'EOF'
-          {
-            "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
-            "version": "2.1.0",
-            "runs": [
-              { "tool": { "driver": { "name": "gitleaks", "version": "0" } }, "results": [] }
-            ]
-          }
-          EOF
+          set -euo pipefail
+          mkdir -p "${OUT_DIR}"
 
       - name: Install Gitleaks (pinned)
-        if: always()
+        shell: bash
         run: |
           set -euo pipefail
-          VER="${{ env.GITLEAKS_VERSION }}"
+          VER="${GITLEAKS_VERSION}"
           curl -sSL -o /tmp/gitleaks.tar.gz "https://github.com/gitleaks/gitleaks/releases/download/v${VER}/gitleaks_${VER}_linux_x64.tar.gz"
           tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks
           sudo mv /tmp/gitleaks /usr/local/bin/gitleaks
           gitleaks version
 
-      - name: Run Gitleaks (SARIF + JSON + Log) [Report-Only]
+      - name: Run Gitleaks (single run) [Report-Only]
         if: always()
+        shell: bash
         run: |
+          # Report-only: never fail the job
           set +e
 
-          CFG=""
-          if [ -f "${{ env.CONFIG_FILE }}" ]; then
-            CFG="--config=${{ env.CONFIG_FILE }}"
+          CFG=()
+          if [ -f "${CONFIG_FILE}" ]; then
+            CFG=(--config="${CONFIG_FILE}")
           fi
 
-          # SARIF
-          gitleaks detect --source="." --redact $CFG \
-            --report-format=sarif \
-            --report-path="${{ env.OUT_DIR }}/${{ env.OUT_SARIF }}" \
-            2>&1 | tee "${{ env.OUT_DIR }}/${{ env.OUT_LOG }}"
-
-          # JSON (second report output; keep report-only)
-          gitleaks detect --source="." --redact $CFG \
-            --report-format=json \
-            --report-path="${{ env.OUT_DIR }}/${{ env.OUT_JSON }}" \
-            >/dev/null 2>&1
+          # Run once, produce JSON, and capture log. Exit code is ignored intentionally.
+          gitleaks detect \
+            --source="." \
+            --redact \
+            "${CFG[@]}" \
+            --report-format="json" \
+            --report-path="${OUT_DIR}/${OUT_JSON}" \
+            2>&1 | tee "${OUT_DIR}/${OUT_LOG}"
+
+          # Create SARIF from JSON (single scan, dual outputs)
+          python3 - << 'PY'
+          import json, os, sys
+          out_dir = os.environ["OUT_DIR"]
+          json_path = os.path.join(out_dir, os.environ["OUT_JSON"])
+          sarif_path = os.path.join(out_dir, os.environ["OUT_SARIF"])
+
+          # Baseline SARIF skeleton
+          sarif = {
+            "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+            "version": "2.1.0",
+            "runs": [{
+              "tool": {"driver": {"name": "gitleaks", "version": os.environ.get("GITLEAKS_VERSION","0")}},
+              "results": []
+            }]
+          }
+
+          try:
+            with open(json_path, "r", encoding="utf-8") as f:
+              data = json.load(f)
+          except Exception:
+            # If JSON missing or invalid, still write baseline SARIF
+            with open(sarif_path, "w", encoding="utf-8") as f:
+              json.dump(sarif, f, ensure_ascii=False, indent=2)
+            sys.exit(0)
+
+          # Gitleaks JSON is typically a list of findings
+          if isinstance(data, list):
+            for item in data:
+              file_path = item.get("File") or item.get("file") or item.get("Path") or ""
+              start_line = item.get("StartLine") or item.get("startLine") or item.get("Line") or item.get("line") or 1
+              rule_id = item.get("RuleID") or item.get("ruleID") or item.get("Rule") or "gitleaks"
+              desc = item.get("Description") or item.get("description") or "Potential secret detected"
+              secret = item.get("Secret") or item.get("secret") or ""
+              # Keep message minimal (avoid reproducing secrets)
+              msg = f"{desc} (rule: {rule_id})"
+
+              res = {
+                "ruleId": str(rule_id),
+                "level": "error",
+                "message": {"text": msg},
+                "locations": [{
+                  "physicalLocation": {
+                    "artifactLocation": {"uri": file_path},
+                    "region": {"startLine": int(start_line) if str(start_line).isdigit() else 1}
+                  }
+                }]
+              }
+              sarif["runs"][0]["results"].append(res)
+
+          with open(sarif_path, "w", encoding="utf-8") as f:
+            json.dump(sarif, f, ensure_ascii=False, indent=2)
+          PY
 
           exit 0