diff --git a/.github/workflows/secrets-scan-daily.yml b/.github/workflows/secrets-scan-daily.yml new file mode 100644 index 000000000..32a480e93 --- /dev/null +++ b/.github/workflows/secrets-scan-daily.yml @@ -0,0 +1,80 @@ +name: Daily Secrets Detection + +on: + schedule: + # Run daily at 9:00 AM UTC + - cron: '0 9 * * *' + workflow_dispatch: # Allow manual triggering + +permissions: + contents: read + id-token: write # Required for SLSA attestation + +jobs: + onboard_workflow: + name: Onboard Chainloop Workflow + uses: chainloop-dev/labs/.github/workflows/chainloop_onboard.yml@6bbd1c2b3022e48ae60afa0c2b90f3b6d31bcf11 + with: + project: "chainloop" + workflow_name: "daily-secrets-detection" + secrets: + api_token: ${{ secrets.CHAINLOOP_TOKEN }} + + daily-secrets-scan: + name: Daily Secrets Scan + needs: onboard_workflow + runs-on: ubuntu-latest + env: + CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }} + CHAINLOOP_WORKFLOW_NAME: ${{ needs.onboard_workflow.outputs.workflow_name }} + CHAINLOOP_PROJECT_NAME: ${{ needs.onboard_workflow.outputs.project_name }} + + steps: + - uses: actions/checkout@v4 + + - name: Install Chainloop + run: | + curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s -- --ee + + - name: Initialize Attestation + run: | + chainloop attestation init --workflow ${CHAINLOOP_WORKFLOW_NAME} --project ${CHAINLOOP_PROJECT_NAME} + + - name: Install Gitleaks + run: | + wget -q https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz + mkdir -p /tmp/gitleaks-install + tar -xzf gitleaks_8.30.0_linux_x64.tar.gz -C /tmp/gitleaks-install + sudo install /tmp/gitleaks-install/gitleaks /usr/local/bin/ + rm -rf /tmp/gitleaks-install gitleaks_8.30.0_linux_x64.tar.gz + gitleaks version + + - name: Run Gitleaks Scan + run: | + gitleaks dir . \ + --report-format json \ + --report-path gitleaks-report.json \ + --config .github/workflows/utils/.gitleaks.toml \ + || true + + - name: Add Gitleaks Report to Attestation + run: | + chainloop attestation add \ + --name gitleaks-scan \ + --value gitleaks-report.json \ + --kind GITLEAKS_JSON + + - name: Finish and Push Attestation + if: ${{ success() }} + run: | + chainloop attestation push + + - name: Mark attestation as failed + if: ${{ failure() }} + run: | + chainloop attestation reset + + - name: Mark attestation as cancelled + if: ${{ cancelled() }} + run: | + chainloop attestation reset --trigger cancellation diff --git a/.github/workflows/utils/.gitleaks.toml b/.github/workflows/utils/.gitleaks.toml new file mode 100644 index 000000000..e5b6fc6f8 --- /dev/null +++ b/.github/workflows/utils/.gitleaks.toml @@ -0,0 +1,11 @@ +title = "Gitleaks config" + +[extend] +useDefault = true + +# Ignore test files and test directories +[[allowlists]] +paths = [ + '''.*_test\..*''', # Test files + '''(^|/)testdata/.*''', # Testdata directories +] diff --git a/.gitleaksignore b/.gitleaksignore new file mode 100644 index 000000000..0cd2e4b18 --- /dev/null +++ b/.gitleaksignore @@ -0,0 +1,27 @@ +# .gitleaksignore +# +# This file contains fingerprints for verified false positives in gitleaks scans. +# Format: file_path:rule_id:line_number + +# PostHog public API key +app/cli/cmd/root.go:generic-api-key:413 + +# Buf dependency version +buf.yaml:generic-api-key:135 + +# Development keys +devel/devkeys/cas.pem:private-key:1 +devel/devkeys/ca.pem:private-key:1 + +# Expired JWT token example in development documentation +devel/README.md:jwt:162 + +# Helm chart deployment documentation, example private keys, content redacted or truncated +deployment/chainloop/README.md:private-key:231 +deployment/chainloop/charts/vault/README.md:private-key:96 + +# Helm chart templates, development keys that cannot be generated +deployment/chainloop/templates/_helpers.tpl:private-key:43 + +# Helm values.yaml, field documentation example +deployment/chainloop/values.yaml:private-key:114