Skip to content

Add centralized Gitleaks config delivery #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Nikolay1224 merged 5 commits into from
Nov 28, 2025
Merged

Add centralized Gitleaks config delivery #51

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
173aae6
feat(gitleaks): add centralized config distribution
rtrofimenkov-ssdlc Nov 21, 2025
23530b4
updated comment message, now it provides correct path
rtrofimenkov-ssdlc Nov 24, 2025
724a15d
update gitleaks action
rtrofimenkov-ssdlc Nov 25, 2025
ac46675
added debug log
rtrofimenkov-ssdlc Nov 26, 2025
db099c0
remove legacy README.md
rtrofimenkov-ssdlc Nov 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 0 additions & 85 deletions gitleaks/README.md
View file
Open in desktop

This file was deleted.

39 changes: 32 additions & 7 deletions gitleaks/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,17 +51,42 @@ runs:
echo "$install_dir" >> "$GITHUB_PATH"
gitleaks version

- name: Setup centralized config
shell: bash
run: |
set -euo pipefail
# Copy centralized config to temporary directory (safe for Werf/giterminism)
BASE_CONFIG="${{ github.action_path }}/config/gitleaks.base.toml"
if [[ -f "$BASE_CONFIG" ]]; then
cp "$BASE_CONFIG" "${RUNNER_TEMP}/gitleaks.base.toml"
echo "✅ Centralized config copied to ${RUNNER_TEMP}/gitleaks.base.toml"
else
echo "⚠️ Warning: Centralized config not found at $BASE_CONFIG"
exit 1
fi

- name: Check for optional config
id: config
shell: bash
run: |
set -euo pipefail
if [[ -f "gitleaks.toml" ]]; then
echo "config_arg=-c gitleaks.toml" >> "$GITHUB_OUTPUT"
echo "✅ Found config: gitleaks.toml"
if [[ -f ".gitleaks.toml" ]]; then
# Local config exists - check if it has [extend] section
if grep -q "^\[extend\]" .gitleaks.toml; then
# Has extend section - use as is
echo "config_arg=--config .gitleaks.toml" >> "$GITHUB_OUTPUT"
echo "✅ Found local config with [extend] section - using as is"
else
# No extend section - warn and ignore, use base config only
echo "⚠️ WARNING: Local config file .gitleaks.toml exists but does not contain [extend] section"
echo " We cannot be sure this is the expected extend configuration."
echo " Ignoring local config file and using base config only."
echo "config_arg=--config ${RUNNER_TEMP}/gitleaks.base.toml" >> "$GITHUB_OUTPUT"
fi
else
echo "config_arg=" >> "$GITHUB_OUTPUT"
echo "⚠️ Config file not found. Proceeding with default rules."
# Use centralized config only
echo "config_arg=--config ${RUNNER_TEMP}/gitleaks.base.toml" >> "$GITHUB_OUTPUT"
echo "🔹 Using centralized config only (no local customization)"
fi

- name: Gitleaks scan (full)
Expand All @@ -70,7 +95,7 @@ runs:
run: |
set -euo pipefail
CONFIG_ARG="${{ steps.config.outputs.config_arg }}"
gitleaks detect --no-banner --redact \
gitleaks detect --no-banner --redact --log-level debug \
--report-format json --report-path gitleaks.json \
$CONFIG_ARG \
--source .
Expand All @@ -86,7 +111,7 @@ runs:
echo "Base commit: $BASE_COMMIT"
echo "Scanning range: ${BASE_COMMIT}..HEAD"

gitleaks detect --no-banner --redact \
gitleaks detect --no-banner --redact --log-level debug \
--report-format json --report-path gitleaks.json \
--log-opts="${BASE_COMMIT}..HEAD" \
$CONFIG_ARG \
Expand Down
57 changes: 57 additions & 0 deletions gitleaks/config/gitleaks.base.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
# Centralized Gitleaks configuration for all Deckhouse repositories
# This file is distributed via modules-actions/gitleaks action
#
# Repositories can extend this config by creating local .gitleaks.toml:
# [extend]
# useDefault = false
# path = "/home/runner/work/_temp/gitleaks.base.toml"

# Use default Gitleaks rules
[extend]
useDefault = true

# Global allowlists
[allowlist]

# === Safe files/directories ===
# NOTE: Use exact paths, NOT glob patterns like **/go.mod

paths = [
# Go dependencies - public hashes
"go.mod",
"go.sum",

# Specific files with known false positives
# "modules/101-cert-manager/docs/USAGE.md",
# "modules/101-cert-manager/docs/USAGE_RU.md",
]

# === Safe patterns ===
regexes = [
# Go module checksums - always public
'''h1:[A-Za-z0-9+/=]{40,}''',

# Public certificates (only ca.crt, NOT private keys!)
'''data:\s*\n\s*ca\.crt:\s*[A-Za-z0-9+/=\s]+''',

# AWS Example values from official documentation - exact match
'''AKIAIOSFODNN7EXAMPLE''',
'''wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY''',
]

# Custom rules for hashi/openbao/werf tokens
[[rules]]
id = "werf-secret-key"
description = "Identified a Werf Secret Key."
regex = '''\b([a-f0-9]{32})\b'''
path = '''\.werf_secret_key$'''

[[rules]]
id = "hashicorp-vault-token"
description = "Identified a HashiCorp Vault token (hvs, hvb, or hvr prefix)."
regex = '''\b(hv[sbr]\.[A-Za-z0-9_-]{20,})\b'''

[[rules]]
id = "openbao-token"
description = "Identified an OpenBao token (S. prefix)."
regex = '''\b(S\.[A-Za-z0-9_-]{20,})\b'''