fix(ci): replace gitleaks-action with manual install (#50)
## Summary `gitleaks/gitleaks-action@v2` is now paywalled for organisations — the action requires a `GITLEAKS_LICENSE` secret from gitleaks.io (commercial) or it errors out: ``` 🛑 missing gitleaks license. Go grab one at gitleaks.io and store it as a GitHub Secret named GITLEAKS_LICENSE. ``` Worse, on Gitea it cannot reliably detect personal-vs-org accounts (different API contract), so it defaults to license enforcement and the scan always fails. The **gitleaks binary itself stays MIT-licensed and free** — only the wrapper went commercial. Mirror the pattern from #45 (Trivy): drop the wrapper, install the binary directly via curl + tar, run the CLI. ## Scope of the PR The same two broken integrations existed in `.gitea/workflows/security-scheduled.yml` and would have failed silently at next Monday's cron. Fix both files in one PR for consistency. - **`ci.yml`** — gitleaks step replaced. Per-PR scan uses `--no-git --source .` (working tree only — the scan job uses a shallow checkout anyway). - **`security-scheduled.yml`** — both gitleaks AND trivy steps replaced; `fetch-depth: 0` added so gitleaks can do its **deep history scan** here (the value-add of the scheduled job over the per-PR gate); `cache: 'pnpm'` dropped from `actions/setup-node` (consistency with #8 — the act_runner cache server is unreachable from job containers). - `--redact` on both gitleaks invocations so any matched secret is masked in the CI log itself (avoids re-leaking via log artefacts). ## Trade-off Like Trivy, gitleaks version is now manually pinned. Same comment in the workflow points to releases for bumps. ## Test plan - [ ] `scan` job goes green end-to-end on this PR (audit ✓, Trivy ✓, gitleaks ✓). - [ ] `gitleaks version` line in the install step's logs shows `8.21.0`. - [ ] On `push` to main post-merge, scan stays green. - [ ] Trigger `security-scheduled` manually (Actions → Run workflow) to verify the deep-history scan path before next Monday's cron fires. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #50
This commit was merged in pull request #50.
This commit is contained in:
+33
-3
@@ -116,10 +116,40 @@ jobs:
|
|||||||
--exit-code 1 \
|
--exit-code 1 \
|
||||||
--severity CRITICAL,HIGH \
|
--severity CRITICAL,HIGH \
|
||||||
.
|
.
|
||||||
# Secret scan, same reasoning (gitleaks is a Go binary).
|
# Secret scan. Same install pattern as Trivy: gitleaks is a Go
|
||||||
- uses: gitleaks/gitleaks-action@v2
|
# binary, and the official `gitleaks/gitleaks-action@v2` wrapper
|
||||||
|
# is now paywalled for organisations (a GITLEAKS_LICENSE secret
|
||||||
|
# from gitleaks.io is required, otherwise the action errors out
|
||||||
|
# with `🛑 missing gitleaks license`). The binary itself stays
|
||||||
|
# MIT-licensed and free — installing it directly bypasses the
|
||||||
|
# wrapper and gives us version pinning for free.
|
||||||
|
- name: Install gitleaks
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
# Bump deliberately. Same caveat as TRIVY_VERSION above —
|
||||||
|
# not Renovate-tracked out of the box. Releases:
|
||||||
|
# https://github.com/gitleaks/gitleaks/releases.
|
||||||
|
GITLEAKS_VERSION: '8.21.0'
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
|
||||||
|
run: |
|
||||||
|
curl -sfL \
|
||||||
|
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
|
||||||
|
-o /tmp/gitleaks.tar.gz \
|
||||||
|
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
|
||||||
|
tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin gitleaks
|
||||||
|
gitleaks version
|
||||||
|
- name: Run gitleaks
|
||||||
|
# `--no-git --source .` scans the working tree only. The scan
|
||||||
|
# job uses a shallow checkout, so a git-history scan would not
|
||||||
|
# see beyond HEAD anyway; the weekly security-scheduled
|
||||||
|
# workflow does the deep history scan with a full clone.
|
||||||
|
# `--redact` masks any matched secret in the log output so we
|
||||||
|
# do not leak it via the CI logs themselves.
|
||||||
|
run: |
|
||||||
|
gitleaks detect \
|
||||||
|
--no-git \
|
||||||
|
--source . \
|
||||||
|
--redact \
|
||||||
|
--exit-code 1
|
||||||
|
|
||||||
commits:
|
commits:
|
||||||
# PRs opened by Renovate (apf-portal-bot) carry commit messages
|
# PRs opened by Renovate (apf-portal-bot) carry commit messages
|
||||||
|
|||||||
@@ -15,24 +15,60 @@ jobs:
|
|||||||
full-tree-scan:
|
full-tree-scan:
|
||||||
runs-on: [self-hosted, on-prem]
|
runs-on: [self-hosted, on-prem]
|
||||||
steps:
|
steps:
|
||||||
|
# fetch-depth: 0 → full history. The per-PR gitleaks scan is
|
||||||
|
# shallow + working-tree-only; this scheduled job is where we
|
||||||
|
# do the deep history scan that catches secrets ever committed
|
||||||
|
# (and not just what's currently checked in).
|
||||||
- uses: actions/checkout@v6
|
- uses: actions/checkout@v6
|
||||||
|
with:
|
||||||
|
fetch-depth: 0
|
||||||
- uses: pnpm/action-setup@v6
|
- uses: pnpm/action-setup@v6
|
||||||
- uses: actions/setup-node@v6
|
- uses: actions/setup-node@v6
|
||||||
with:
|
with:
|
||||||
node-version-file: '.nvmrc'
|
node-version-file: '.nvmrc'
|
||||||
cache: 'pnpm'
|
|
||||||
- run: pnpm install --frozen-lockfile
|
- run: pnpm install --frozen-lockfile
|
||||||
- run: pnpm audit
|
- run: pnpm audit
|
||||||
# Full-tree Trivy (no skip-dirs, no severity filter — the per-PR
|
# Full-tree Trivy (no skip-dirs, no severity filter — the per-PR
|
||||||
# gate filters by severity for speed; this run wants the full
|
# gate filters by severity for speed; this run wants the full
|
||||||
# surface for the security feed).
|
# surface for the security feed). Manual install + curl, same
|
||||||
- uses: aquasecurity/trivy-action@master
|
# pattern as ci.yml — see the rationale there.
|
||||||
with:
|
- name: Install Trivy
|
||||||
scan-type: fs
|
|
||||||
ignore-unfixed: true
|
|
||||||
- uses: gitleaks/gitleaks-action@v2
|
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
TRIVY_VERSION: '0.70.0'
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
|
||||||
|
run: |
|
||||||
|
curl -sfL \
|
||||||
|
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
|
||||||
|
-o /tmp/trivy.tar.gz \
|
||||||
|
"https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
|
||||||
|
tar -xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy
|
||||||
|
trivy --version
|
||||||
|
- name: Run Trivy
|
||||||
|
run: |
|
||||||
|
trivy fs \
|
||||||
|
--scanners vuln \
|
||||||
|
--ignore-unfixed \
|
||||||
|
.
|
||||||
|
# Deep gitleaks scan (full git history). Same install pattern as
|
||||||
|
# ci.yml. `--redact` masks any matched secret in the log so we
|
||||||
|
# don't leak it via CI logs themselves.
|
||||||
|
- name: Install gitleaks
|
||||||
|
env:
|
||||||
|
GITLEAKS_VERSION: '8.21.0'
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
|
||||||
|
run: |
|
||||||
|
curl -sfL \
|
||||||
|
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
|
||||||
|
-o /tmp/gitleaks.tar.gz \
|
||||||
|
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
|
||||||
|
tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin gitleaks
|
||||||
|
gitleaks version
|
||||||
|
- name: Run gitleaks (full history)
|
||||||
|
run: |
|
||||||
|
gitleaks detect \
|
||||||
|
--source . \
|
||||||
|
--redact \
|
||||||
|
--exit-code 1
|
||||||
|
|
||||||
lighthouse-prod:
|
lighthouse-prod:
|
||||||
# Skipped silently if the prod URL hasn't been configured yet.
|
# Skipped silently if the prod URL hasn't been configured yet.
|
||||||
@@ -44,7 +80,6 @@ jobs:
|
|||||||
- uses: actions/setup-node@v6
|
- uses: actions/setup-node@v6
|
||||||
with:
|
with:
|
||||||
node-version-file: '.nvmrc'
|
node-version-file: '.nvmrc'
|
||||||
cache: 'pnpm'
|
|
||||||
- run: pnpm install --frozen-lockfile
|
- run: pnpm install --frozen-lockfile
|
||||||
- run: pnpm exec lhci collect --url=${{ vars.LHCI_PROD_URL }} --numberOfRuns=3
|
- run: pnpm exec lhci collect --url=${{ vars.LHCI_PROD_URL }} --numberOfRuns=3
|
||||||
- run: pnpm exec lhci assert --config=./lighthouserc.js
|
- run: pnpm exec lhci assert --config=./lighthouserc.js
|
||||||
|
|||||||
Reference in New Issue
Block a user