Skip to content

Commit d3acd28

Browse files
committed
Harden security scan with Gitleaks (enterprise-grade secret detection)
1 parent 449d6d9 commit d3acd28

1 file changed

Lines changed: 21 additions & 4 deletions

File tree

.github/workflows/build-module.yml

Lines changed: 21 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -28,16 +28,33 @@ env:
2828
jobs:
2929

3030
security:
31-
name: Security Validation
31+
name: Security Validation (Hardened)
3232
runs-on: ubuntu-latest
3333

3434
steps:
3535
- uses: actions/checkout@v4
3636

37-
- name: Secret Scan
37+
- name: Install security tools
3838
run: |
39-
echo "Scanning repo..."
40-
! grep -R "PASSWORD\|TOKEN\|SECRET" -n . || exit 1
39+
sudo apt-get update
40+
sudo apt-get install -y curl git
41+
42+
# Enterprise-grade secret scanner
43+
- name: Run Gitleaks Scan
44+
uses: gitleaks/gitleaks-action@v2
45+
env:
46+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
47+
48+
# Backup static scan (non-fatal keyword filter)
49+
- name: Fallback Pattern Scan
50+
run: |
51+
echo "Running fallback scan..."
52+
53+
# Only fail on REAL secrets, not keywords in config
54+
if grep -RInE "AKIA[0-9A-Z]{16}|AIza[0-9A-Za-z\-]{35}|-----BEGIN (RSA|OPENSSH) PRIVATE KEY-----" .; then
55+
echo "Hard secret detected"
56+
exit 1
57+
fi
4158
4259
- name: File Integrity Check
4360
run: |

0 commit comments

Comments
 (0)