From 173aae6b66c3e067306cfa2ad0db330d36caf60d Mon Sep 17 00:00:00 2001 From: Roman Trofimenkov Date: Fri, 21 Nov 2025 14:30:02 +0500 Subject: [PATCH 1/5] feat(gitleaks): add centralized config distribution - Add gitleaks.base.toml with base rules from deckhouse/deckhouse - Copy centralized config to ${RUNNER_TEMP} (safe for Werf/giterminism) - Update config detection logic to use centralized config by default - Support local .gitleaks.toml for repository-specific customization This enables centralized rule management while keeping git state clean. Signed-off-by: Roman Trofimenkov --- gitleaks/action.yml | 26 +++++++++++--- gitleaks/config/gitleaks.base.toml | 57 ++++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+), 5 deletions(-) create mode 100644 gitleaks/config/gitleaks.base.toml diff --git a/gitleaks/action.yml b/gitleaks/action.yml index 2dff017..5a10ee1 100644 --- a/gitleaks/action.yml +++ b/gitleaks/action.yml @@ -51,17 +51,33 @@ runs: echo "$install_dir" >> "$GITHUB_PATH" gitleaks version + - name: Setup centralized config + shell: bash + run: | + set -euo pipefail + # Copy centralized config to temporary directory (safe for Werf/giterminism) + BASE_CONFIG="${{ github.action_path }}/config/gitleaks.base.toml" + if [[ -f "$BASE_CONFIG" ]]; then + cp "$BASE_CONFIG" "${RUNNER_TEMP}/gitleaks.base.toml" + echo "✅ Centralized config copied to ${RUNNER_TEMP}/gitleaks.base.toml" + else + echo "⚠️ Warning: Centralized config not found at $BASE_CONFIG" + exit 1 + fi + - name: Check for optional config id: config shell: bash run: | set -euo pipefail - if [[ -f "gitleaks.toml" ]]; then - echo "config_arg=-c gitleaks.toml" >> "$GITHUB_OUTPUT" - echo "✅ Found config: gitleaks.toml" + if [[ -f ".gitleaks.toml" ]]; then + # Local config exists - it should extend the centralized one + echo "config_arg=--config .gitleaks.toml" >> "$GITHUB_OUTPUT" + echo "✅ Found local config: .gitleaks.toml (should extend base config)" else - echo "config_arg=" >> "$GITHUB_OUTPUT" - echo "⚠️ Config file not found. Proceeding with default rules." + # Use centralized config only + echo "config_arg=--config ${RUNNER_TEMP}/gitleaks.base.toml" >> "$GITHUB_OUTPUT" + echo "🔹 Using centralized config only (no local customization)" fi - name: Gitleaks scan (full) diff --git a/gitleaks/config/gitleaks.base.toml b/gitleaks/config/gitleaks.base.toml new file mode 100644 index 0000000..74c071f --- /dev/null +++ b/gitleaks/config/gitleaks.base.toml @@ -0,0 +1,57 @@ +# Centralized Gitleaks configuration for all Deckhouse repositories +# This file is distributed via modules-actions/gitleaks action +# +# Repositories can extend this config by creating local .gitleaks.toml: +# [extend] +# useDefault = false +# path = "${RUNNER_TEMP}/gitleaks.base.toml" + +# Use default Gitleaks rules +[extend] +useDefault = true + +# Global allowlists +[allowlist] + +# === Safe files/directories === +# NOTE: Use exact paths, NOT glob patterns like **/go.mod + +paths = [ + # Go dependencies - public hashes + "go.mod", + "go.sum", + + # Specific files with known false positives + # "modules/101-cert-manager/docs/USAGE.md", + # "modules/101-cert-manager/docs/USAGE_RU.md", +] + +# === Safe patterns === +regexes = [ + # Go module checksums - always public + '''h1:[A-Za-z0-9+/=]{40,}''', + + # Public certificates (only ca.crt, NOT private keys!) + '''data:\s*\n\s*ca\.crt:\s*[A-Za-z0-9+/=\s]+''', + + # AWS Example values from official documentation - exact match + '''AKIAIOSFODNN7EXAMPLE''', + '''wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY''', +] + +# Custom rules for hashi/openbao/werf tokens +[[rules]] +id = "werf-secret-key" +description = "Identified a Werf Secret Key." +regex = '''\b([a-f0-9]{32})\b''' +path = '''\.werf_secret_key$''' + +[[rules]] +id = "hashicorp-vault-token" +description = "Identified a HashiCorp Vault token (hvs, hvb, or hvr prefix)." +regex = '''\b(hv[sbr]\.[A-Za-z0-9_-]{20,})\b''' + +[[rules]] +id = "openbao-token" +description = "Identified an OpenBao token (S. prefix)." +regex = '''\b(S\.[A-Za-z0-9_-]{20,})\b''' From 23530b43dab1c0f22a042919707a65c6d8a327ad Mon Sep 17 00:00:00 2001 From: Roman Trofimenkov Date: Mon, 24 Nov 2025 19:05:10 +0500 Subject: [PATCH 2/5] updated comment message, now it provides correct path Signed-off-by: Roman Trofimenkov --- gitleaks/config/gitleaks.base.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gitleaks/config/gitleaks.base.toml b/gitleaks/config/gitleaks.base.toml index 74c071f..7e07054 100644 --- a/gitleaks/config/gitleaks.base.toml +++ b/gitleaks/config/gitleaks.base.toml @@ -4,7 +4,7 @@ # Repositories can extend this config by creating local .gitleaks.toml: # [extend] # useDefault = false -# path = "${RUNNER_TEMP}/gitleaks.base.toml" +# path = "/home/runner/work/_temp/gitleaks.base.toml" # Use default Gitleaks rules [extend] From 724a15d25085cf289338738e4bc506599fac7e10 Mon Sep 17 00:00:00 2001 From: Roman Trofimenkov Date: Tue, 25 Nov 2025 20:06:00 +0500 Subject: [PATCH 3/5] update gitleaks action Signed-off-by: Roman Trofimenkov --- gitleaks/action.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/gitleaks/action.yml b/gitleaks/action.yml index 5a10ee1..7099a0f 100644 --- a/gitleaks/action.yml +++ b/gitleaks/action.yml @@ -71,9 +71,18 @@ runs: run: | set -euo pipefail if [[ -f ".gitleaks.toml" ]]; then - # Local config exists - it should extend the centralized one - echo "config_arg=--config .gitleaks.toml" >> "$GITHUB_OUTPUT" - echo "✅ Found local config: .gitleaks.toml (should extend base config)" + # Local config exists - check if it has [extend] section + if grep -q "^\[extend\]" .gitleaks.toml; then + # Has extend section - use as is + echo "config_arg=--config .gitleaks.toml" >> "$GITHUB_OUTPUT" + echo "✅ Found local config with [extend] section - using as is" + else + # No extend section - warn and ignore, use base config only + echo "⚠️ WARNING: Local config file .gitleaks.toml exists but does not contain [extend] section" + echo " We cannot be sure this is the expected extend configuration." + echo " Ignoring local config file and using base config only." + echo "config_arg=--config ${RUNNER_TEMP}/gitleaks.base.toml" >> "$GITHUB_OUTPUT" + fi else # Use centralized config only echo "config_arg=--config ${RUNNER_TEMP}/gitleaks.base.toml" >> "$GITHUB_OUTPUT" From ac466759bc827fdaeb78c84484097479244490f8 Mon Sep 17 00:00:00 2001 From: Roman Trofimenkov Date: Wed, 26 Nov 2025 18:33:44 +0500 Subject: [PATCH 4/5] added debug log Signed-off-by: Roman Trofimenkov --- gitleaks/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gitleaks/action.yml b/gitleaks/action.yml index 7099a0f..3b8d0c9 100644 --- a/gitleaks/action.yml +++ b/gitleaks/action.yml @@ -95,7 +95,7 @@ runs: run: | set -euo pipefail CONFIG_ARG="${{ steps.config.outputs.config_arg }}" - gitleaks detect --no-banner --redact \ + gitleaks detect --no-banner --redact --log-level debug \ --report-format json --report-path gitleaks.json \ $CONFIG_ARG \ --source . @@ -111,7 +111,7 @@ runs: echo "Base commit: $BASE_COMMIT" echo "Scanning range: ${BASE_COMMIT}..HEAD" - gitleaks detect --no-banner --redact \ + gitleaks detect --no-banner --redact --log-level debug \ --report-format json --report-path gitleaks.json \ --log-opts="${BASE_COMMIT}..HEAD" \ $CONFIG_ARG \ From db099c0e6f740cc7643833c52b355ff95700e364 Mon Sep 17 00:00:00 2001 From: Roman Trofimenkov Date: Fri, 28 Nov 2025 15:03:53 +0500 Subject: [PATCH 5/5] remove legacy README.md Signed-off-by: Roman Trofimenkov --- gitleaks/README.md | 85 ---------------------------------------------- 1 file changed, 85 deletions(-) delete mode 100644 gitleaks/README.md diff --git a/gitleaks/README.md b/gitleaks/README.md deleted file mode 100644 index c78fad7..0000000 --- a/gitleaks/README.md +++ /dev/null @@ -1,85 +0,0 @@ -# 🕵️ Gitleaks GitHub Action - -## 📌 Purpose - -GitHub Action for automatic secret scanning in code using [Gitleaks](https://github.com/gitleaks/gitleaks). Prevents leakage of tokens, keys, passwords, and other secrets into the repository. - -## ⚙️ Operation Modes - -### Diff scan (primary mode) -- **Automatically integrated** into general PR validation -- Scans **only changed files** and **only added lines** in PR -- Does not analyze commit history — eliminates false positives -- Does not check unchanged files — focuses on new code -- Uses `--no-git` for fast scanning - -### Full scan (additional mode) -- Runs on schedule or manually -- Scans the entire repository -- Suitable for periodic security audits - -## 🚀 Usage - -### Automatic Integration - -Diff scan is already integrated into general PR validation and works automatically. No additional configuration required. - -### Full Scanning (optional) - -If you need full scan, add to `.github/workflows/security-scan.yml`: - -```yaml -name: Security Scan - -on: - schedule: - - cron: "0 2 * * *" # daily at 02:00 UTC - workflow_dispatch: {} # manual trigger - -permissions: - contents: read - -jobs: - gitleaks-full: - runs-on: ubuntu-latest - steps: - - uses: deckhouse/modules-actions/gitleaks@main - with: - scan_mode: full -``` - -### Configuration (optional) - -To configure scanning rules, create `gitleaks.toml` in the repository root: -📎 - -Without config, built-in Gitleaks rules are used. - -## 📝 Parameters - -| Parameter | Description | Default | -|-----------|-------------|---------| -| `scan_mode` | Mode: `diff` or `full` | `full` | -| `gitleaks_version` | Gitleaks version | `v8.28.0` | -| `checkout_repo` | Repository for checkout | `${{ github.repository }}` | -| `checkout_ref` | SHA for checkout | `""` | -| `base_sha` | Base SHA for diff | `""` | - -## 🔧 Technical Features - -### Patch-based scanning (diff mode) -- Collects only changed files from PR -- Creates temporary tree with these files -- Scans without git history (`--no-git`) -- Filters findings only by added lines - -### Benefits -- **Minimal false positives** — doesn't find deleted secrets -- **Fast operation** — scans only changes -- **Accuracy** — focuses on new code in PR - -## 🐛 Troubleshooting - -**Many false positives**: use `diff` mode for PR checks -**Workflow fails**: check `contents: read` permissions -**Need configuration**: create `gitleaks.toml` in repository root