gitleaks.yml

name: Gitleaks Scan
on: [push, pull_request]

jobs:
  gitleaks:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Install Gitleaks
      run: |
        curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.18.4/gitleaks_8.18.4_linux_x64.tar.gz | tar -xz -C /usr/local/bin gitleaks

    - name: Run Gitleaks
      run: |
        gitleaks detect --redact -v --exit-code=2 --report-format=sarif --report-path=results.sarif --log-level=debug
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        GITLEAKS_ENABLE_COMMENTS: 'true'
        GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

    - name: Upload SARIF report
      if: always()
      uses: actions/upload-artifact@v4
      with:
        name: gitleaks-results.sarif
        path: results.sarif
    
    - name: Output Gitleaks results to console
      if: always()
      run: |
        echo "### Gitleaks detected secrets" >> $GITHUB_STEP_SUMMARY
        jq -r '.runs[0].results[] | "🔴 *File:* \(.locations[].physicalLocation.artifactLocation.uri)\n  - *Secret:* \(.message.text)\n  - *Rule ID:* \(.ruleId)"' results.sarif >> $GITHUB_STEP_SUMMARY
        cat $GITHUB_STEP_SUMMARY
      #  cat results.sarif | jq '.runs[0].results[] | {message: .message.text, ruleId: .ruleId, locations: .locations[].physicalLocation.artifactLocation.uri}'
      continue-on-error: true