From cf9065fca4fc9299e738c889516d96c7602c5bb5 Mon Sep 17 00:00:00 2001 From: Artur Tagisow Date: Wed, 15 Nov 2023 14:48:21 +0100 Subject: [PATCH] ENG-171 Run GitGuardian in CI as part of Unified CI in Integrations If you add the GitGuardian app globally to the org, it only scans code when a PR is opened. This doesn't protect us against the case where someone just creates a branch with plaintext credentials, *but doesn't create a PR*. Adding GitGuardian scans as a GitHub action with a "on push" trigger will make GitGuardian scan all code that appears in the repo, rather than just code which is part of a PR. To make this work, you will need to add GITGUARDIAN_API_KEY GitHub secret in each repository. Organization-wide GitHub secrets apply only on private repositories, so to cover all repos reliably you'll need to create a regular per-repo secret, not an org-wide one. --- .github/workflows/continuous-integration.yml | 22 ++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index 241886b..19b6ddf 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -24,6 +24,28 @@ env: GCP_PROJECT_NAME: sf-artifacts-prod jobs: + name: GitGuardian scan + +on: [push, pull_request] + +jobs: + scanning: + name: GitGuardian scan + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 # fetch all history so multiple commits can be scanned + - name: GitGuardian scan + uses: GitGuardian/ggshield-action@v1.17.2 + env: + GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} + GITHUB_PUSH_BASE_SHA: ${{ github.event.base }} + GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }} + GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} + run-ci: name: Run CI runs-on: ubuntu-latest