bug fix for PR, and minor updates (#42)

- bumped GH actions to the latest in workflows and docs
- updated rule for CSCAN0220 in the toml configs
- bug fix for Action not working on PRs #41

.github/workflows/docker.yml

@@ -19,14 +19,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Get repo owner
-        uses: actions/github-script@v5
+        uses: actions/github-script@v6
         id: repo_owner
         with:
           result-encoding: string
           script: return context.repo.owner.toLowerCase()
 
       - name: Get repo name
-        uses: actions/github-script@v5
+        uses: actions/github-script@v6
         id: repo_name
         with:
           result-encoding: string
@@ -61,15 +61,15 @@ jobs:
           echo "::set-output name=upgrade::true"
 
       - name: Log in to ghcr.io
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         if: steps.upgrade.outputs.upgrade == 'true'
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Docker image metadata
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v4
         if: steps.upgrade.outputs.upgrade == 'true'
         with:
           images: "ghcr.io/${{ steps.repo_owner.outputs.result }}/${{ steps.repo_name.outputs.result }}"
@@ -82,7 +82,7 @@ jobs:
 
       - name: Build and push Docker image
         if: steps.upgrade.outputs.upgrade == 'true'
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           tags: ${{ steps.docker_image_metadata.outputs.tags }}
           labels: ${{ steps.docker_image_metadata.outputs.labels }}

.github/workflows/gitleaks.yml

@@ -7,9 +7,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
-          fetch-depth: '0'
+          fetch-depth: "0"
 
       - name: Run Gitleaks
         id: gitleaks
@@ -28,6 +28,6 @@ jobs:
 
       - name: Upload SARIF report
         if: steps.gitleaks.outputs.exitcode == 1
-        uses: github/codeql-action/upload-sarif@v1
+        uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: ${{ steps.gitleaks.outputs.report }}

.gitignore

@@ -1,3 +1,4 @@
 .vscode
 .env
-commits.txt
+commits.txt
+gitleaks-report.*

.gitleaks/GitleaksUdmCombo.toml

@@ -27,7 +27,6 @@
 #              identifier                  assignment symbol
 #                                                                                Secret
 #
-
 title = "gitleaks config"
 
 [[rules]]
@@ -214,7 +213,7 @@ regex = '''(private\sconst\sstring\sAccessTokenSecret|private\sconst\sstring\sac
 id = "CSCAN0220 1"
 description = "DefaultPasswordContexts 1"
 path = '''\.(?:ps1|psm1|)$'''
-regex = '''ConvertTo-SecureString(?:\s*-String)?\s*"[^"\r?\n]+"'''
+regex = '''ConvertTo-SecureString(?:\s*-String)?\s*"[^$"\r?\n]+"'''
 [rules.allowlist]
 regex = ['''Credentials?Type|ConnectionStringKey|notasecret|PartitionKey|notreal|insertkey|LookupKey|IgnoreKeys|SecretsService|SecretsTenantId|(?:Password|pwd|secret|credentials?)(?:Key|Location)|KeyManager''',
 '''(?:_AppKey"|(?:(?:credential|password|token)s?|(?:Account|access)Key=)"[\s\r?\n]*/|Username"|\.dll|(?:Secret|Token|Key|Credential)s?(?:Encryption|From|(?:Signing)?Certificate|Options|Thumbprint|Contacts|String|UserId)|Key(1;value1|word|s?Path|Index|Id|Store|WillDoWithoutValidation|:NamePattern|Name"|Ref")|(Secret|Credential)s?(Name|Path)"|(StrongName|Chaos\s?Mon|Redis|Registry|Registery|User|Insights?|Instrumentation|Match\()Key|(Certificate|cert)(Issuer|Subject)|rollingdate|skuId|HKEY_|AddServicePrincipalCredentials|Password Resets|SecretStore|(0|x|\*){8,})''']

.gitleaks/UDMSecretChecks.toml

@@ -184,7 +184,7 @@ regex = '''(private\sconst\sstring\sAccessTokenSecret|private\sconst\sstring\sac
 id = "CSCAN0220 1"
 description = "DefaultPasswordContexts 1"
 path = '''\.(?:ps1|psm1|)$'''
-regex = '''ConvertTo-SecureString(?:\s*-String)?\s*"[^"\r?\n]+"'''
+regex = '''ConvertTo-SecureString(?:\s*-String)?\s*"[^$"\r?\n]+"'''
 [rules.allowlist]
 regex = ['''Credentials?Type|ConnectionStringKey|notasecret|PartitionKey|notreal|insertkey|LookupKey|IgnoreKeys|SecretsService|SecretsTenantId|(?:Password|pwd|secret|credentials?)(?:Key|Location)|KeyManager''',
 '''(?:_AppKey"|(?:(?:credential|password|token)s?|(?:Account|access)Key=)"[\s\r?\n]*/|Username"|\.dll|(?:Secret|Token|Key|Credential)s?(?:Encryption|From|(?:Signing)?Certificate|Options|Thumbprint|Contacts|String|UserId)|Key(1;value1|word|s?Path|Index|Id|Store|WillDoWithoutValidation|:NamePattern|Name"|Ref")|(Secret|Credential)s?(Name|Path)"|(StrongName|Chaos\s?Mon|Redis|Registry|Registery|User|Insights?|Instrumentation|Match\()Key|(Certificate|cert)(Issuer|Subject)|rollingdate|skuId|HKEY_|AddServicePrincipalCredentials|Password Resets|SecretStore|(0|x|\*){8,})''']

README.md

@@ -41,7 +41,7 @@ This GitHub Action provides a way to run [Gitleaks](https://github.com/zricethez
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v2
+  uses: actions/checkout@v3
   with:
     fetch-depth: "0"
 
@@ -62,7 +62,7 @@ This GitHub Action provides a way to run [Gitleaks](https://github.com/zricethez
 
 - name: Upload Gitleaks SARIF report to code scanning service
   if: steps.gitleaks.outputs.exitcode == 1
-  uses: github/codeql-action/upload-sarif@v1
+  uses: github/codeql-action/upload-sarif@v2
   with:
     sarif_file: ${{ steps.gitleaks.outputs.report }}
 ```
@@ -73,7 +73,7 @@ This GitHub Action provides a way to run [Gitleaks](https://github.com/zricethez
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v2
+  uses: actions/checkout@v3
   with:
     fetch-depth: "0"
 
@@ -84,7 +84,7 @@ This GitHub Action provides a way to run [Gitleaks](https://github.com/zricethez
     config: "MyGitleaksConfigs/MyGitleaksConfig.toml"
 
 - name: Upload Gitleaks JSON report to artifacts
-  uses: actions/upload-artifact@v2
+  uses: actions/upload-artifact@v3
   if: failure()
   with:
     name: gitleaks
@@ -103,7 +103,9 @@ Any feedback on `Gitleaks`, please reach out to [Zachary Rice](https://github.co
 
 Any feedback on the gitleaks config for Azure `UDMSecretChecks.toml` file is welcome. Follow Jesse Houwing's github repo - [gitleaks-azure](https://github.com/jessehouwing/gitleaks-azure).
 
-Any feedback or contribution to this project is welcome.
+Thanks to [C.J. May (@lawndoc)](https://github.com/lawndoc) for contributing 🤘
+
+Any feedback or contribution to this project is welcome!
 
 ## How do I remove a secret from git's history?
 

entrypoint.sh

@@ -71,7 +71,11 @@ command=$(arg "${command}" '--report-path %s' "${GITHUB_WORKSPACE}/gitleaks-repo
 
 if [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then
     command=$(arg "${command}" '--source %s' "${GITHUB_WORKSPACE}")
-    command=$(arg "${command}" '--log-opts "%s"' "--all ${GITHUB_HEAD_REF}...${GITHUB_BASE_REF}")
+
+    base_sha=$(git rev-parse "refs/remotes/origin/${GITHUB_BASE_REF}")
+    head_sha=$(git rev-parse "refs/remotes/pull/${GITHUB_REF_NAME}")
+
+    command=$(arg "${command}" '--log-opts "%s"' "${base_sha}^..${head_sha}")
 else
     command=$(arg "${command}" '--source %s' "${INPUT_SOURCE}")
     command=$(arg "${command}" '--no-git' "${INPUT_NO_GIT}")