Update secret-scan-gitleaks.yml

Signed-off-by: LUIZ HAMILTON ROBERTO DA SILVA <[email protected]>

Author: brazilianscriptguy

.github/workflows/secret-scan-gitleaks.yml

@@ -2,10 +2,10 @@
 name: Secret Scan (Gitleaks) [Report-Only]
 
 on:
-  push:
-    branches: [main, develop]
   pull_request:
     branches: [main, develop]
+  push:
+    branches: [main]
   workflow_dispatch:
 
 concurrency:
@@ -18,7 +18,7 @@ permissions:
 
 jobs:
   gitleaks:
-    name: Gitleaks Scan (SARIF + Artifacts) [Report-Only]
+    name: Gitleaks Scan (PR-fast / Main-full) [Report-Only]
     runs-on: ubuntu-latest
     timeout-minutes: 15
 
@@ -31,10 +31,11 @@ jobs:
       CONFIG_FILE: ".gitleaks.toml"
 
     steps:
-      - name: Checkout (full history)
+      - name: Checkout (PR-fast / Main-full)
         uses: actions/checkout@v4
         with:
-          fetch-depth: 0
+          # PR: shallow is fine (fast). Main push: full history for maximum coverage.
+          fetch-depth: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && 0 || 2 }}
 
       - name: Ensure output folder exists
         shell: bash
@@ -52,7 +53,7 @@ jobs:
           sudo mv /tmp/gitleaks /usr/local/bin/gitleaks
           gitleaks version
 
-      - name: Run Gitleaks (single run) [Report-Only]
+      - name: Run Gitleaks (PR-fast / Main-full) [Report-Only]
         if: always()
         shell: bash
         run: |
@@ -64,28 +65,35 @@ jobs:
             CFG=(--config="${CONFIG_FILE}")
           fi
 
-          # Run once, produce JSON, and capture log. Exit code is ignored intentionally.
+          # PR: scan working tree only (no history) to keep it fast.
+          # Main push: full history (because fetch-depth=0).
+          EXTRA=()
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            EXTRA=(--no-git)
+          fi
+
           gitleaks detect \
             --source="." \
             --redact \
             "${CFG[@]}" \
+            "${EXTRA[@]}" \
             --report-format="json" \
             --report-path="${OUT_DIR}/${OUT_JSON}" \
             2>&1 | tee "${OUT_DIR}/${OUT_LOG}"
 
-          # Create SARIF from JSON (single scan, dual outputs)
+          # Convert JSON -> SARIF (no re-scan)
           python3 - << 'PY'
           import json, os, sys
           out_dir = os.environ["OUT_DIR"]
           json_path = os.path.join(out_dir, os.environ["OUT_JSON"])
           sarif_path = os.path.join(out_dir, os.environ["OUT_SARIF"])
+          ver = os.environ.get("GITLEAKS_VERSION","0")
 
-          # Baseline SARIF skeleton
           sarif = {
             "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
             "version": "2.1.0",
             "runs": [{
-              "tool": {"driver": {"name": "gitleaks", "version": os.environ.get("GITLEAKS_VERSION","0")}},
+              "tool": {"driver": {"name": "gitleaks", "version": ver}},
               "results": []
             }]
           }
@@ -94,34 +102,34 @@ jobs:
             with open(json_path, "r", encoding="utf-8") as f:
               data = json.load(f)
           except Exception:
-            # If JSON missing or invalid, still write baseline SARIF
             with open(sarif_path, "w", encoding="utf-8") as f:
               json.dump(sarif, f, ensure_ascii=False, indent=2)
             sys.exit(0)
 
-          # Gitleaks JSON is typically a list of findings
           if isinstance(data, list):
             for item in data:
               file_path = item.get("File") or item.get("file") or item.get("Path") or ""
               start_line = item.get("StartLine") or item.get("startLine") or item.get("Line") or item.get("line") or 1
               rule_id = item.get("RuleID") or item.get("ruleID") or item.get("Rule") or "gitleaks"
               desc = item.get("Description") or item.get("description") or "Potential secret detected"
-              secret = item.get("Secret") or item.get("secret") or ""
-              # Keep message minimal (avoid reproducing secrets)
               msg = f"{desc} (rule: {rule_id})"
 
-              res = {
+              try:
+                start_line = int(start_line)
+              except Exception:
+                start_line = 1
+
+              sarif["runs"][0]["results"].append({
                 "ruleId": str(rule_id),
                 "level": "error",
                 "message": {"text": msg},
                 "locations": [{
                   "physicalLocation": {
                     "artifactLocation": {"uri": file_path},
-                    "region": {"startLine": int(start_line) if str(start_line).isdigit() else 1}
+                    "region": {"startLine": start_line}
                   }
                 }]
-              }
-              sarif["runs"][0]["results"].append(res)
+              })
 
           with open(sarif_path, "w", encoding="utf-8") as f:
             json.dump(sarif, f, ensure_ascii=False, indent=2)