From 07c6b7509552cb86630cda079403d1b968ee417c Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 12:41:34 -0700 Subject: [PATCH 01/44] feat: create GitHub Action --- action.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 action.yml diff --git a/action.yml b/action.yml new file mode 100644 index 0000000..8f2b506 --- /dev/null +++ b/action.yml @@ -0,0 +1,22 @@ +--- +# Description +# +# USAGE +# +# - uses: git-secrets/TBD +name: git-secrets +description: Run git secrets +runs: + using: "composite" + steps: + - name: Checkout + uses: actions/checkout@v11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + repository: 'awslabs/git-secrets' + ref: 'ad82d68ee924906a0401dfd48de5057731a9bc84' #v1.3.0 + - name: Install + run: | + make install + - name: Scan + run: | + git secrets --scan $GITHUB_WORKSPACE From a83b486dba021edb13a42cd9da3ff073da56485e Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 12:53:06 -0700 Subject: [PATCH 02/44] Update action.yml --- action.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/action.yml b/action.yml index 8f2b506..bf289d5 100644 --- a/action.yml +++ b/action.yml @@ -17,6 +17,8 @@ runs: - name: Install run: | make install + shell: bash - name: Scan run: | git secrets --scan $GITHUB_WORKSPACE + shell: bash From 765d267c209e4bdd0a097a9ba6856ade0dba488b Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 12:54:01 -0700 Subject: [PATCH 03/44] Update action.yml --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index bf289d5..158e565 100644 --- a/action.yml +++ b/action.yml @@ -10,7 +10,7 @@ runs: using: "composite" steps: - name: Checkout - uses: actions/checkout@v11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 with: repository: 'awslabs/git-secrets' ref: 'ad82d68ee924906a0401dfd48de5057731a9bc84' #v1.3.0 From a14a8cfe3fc5e302350d8651dcc82ec66462fa03 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 12:57:13 -0700 Subject: [PATCH 04/44] Update action.yml --- action.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 158e565..590f611 100644 --- a/action.yml +++ b/action.yml @@ -14,7 +14,10 @@ runs: with: repository: 'awslabs/git-secrets' ref: 'ad82d68ee924906a0401dfd48de5057731a9bc84' #v1.3.0 - - name: Install + - env: + PREFIX : ${{ runner.temp }}/git-secrets-prefix + MANPREFIX: ${{ runner.temp }}/git-secrets-manprefix + name: Install run: | make install shell: bash From 80138d61d24240c121f6c2f4f7bda9ede4da6f27 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 12:59:02 -0700 Subject: [PATCH 05/44] Update action.yml --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 590f611..90a09b4 100644 --- a/action.yml +++ b/action.yml @@ -23,5 +23,5 @@ runs: shell: bash - name: Scan run: | - git secrets --scan $GITHUB_WORKSPACE + ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan $GITHUB_WORKSPACE shell: bash From 0a13ea95713034f9468c06b7f7a607c6e557139a Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 14:00:10 -0700 Subject: [PATCH 06/44] Update action.yml --- action.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/action.yml b/action.yml index 90a09b4..7ee7695 100644 --- a/action.yml +++ b/action.yml @@ -20,8 +20,12 @@ runs: name: Install run: | make install + ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --install + ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --register-aws shell: bash - name: Scan run: | + echo $GITHUB_WORKSPACE + ls $GITHUB_WORKSPACE ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan $GITHUB_WORKSPACE shell: bash From be9701f38655d90f22cf2fce9a8aabe9851d0914 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 14:03:11 -0700 Subject: [PATCH 07/44] Update action.yml --- action.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 7ee7695..585dbe3 100644 --- a/action.yml +++ b/action.yml @@ -17,12 +17,24 @@ runs: - env: PREFIX : ${{ runner.temp }}/git-secrets-prefix MANPREFIX: ${{ runner.temp }}/git-secrets-manprefix - name: Install + name: Make run: | make install + shell: bash + - name: Install + run: | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --install + shell: bash + - name: Register + run: | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --register-aws shell: bash + - name: Debug + run: | + echo $GITHUB_WORKSPACE + ls -R $GITHUB_WORKSPACE + ls -l ${{ runner.temp }}/git-secrets-prefix/bin/ + shell: bash - name: Scan run: | echo $GITHUB_WORKSPACE From 1c32a3b60c050c9578fd03f19b66275255af0cc9 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 14:07:34 -0700 Subject: [PATCH 08/44] Update action.yml --- action.yml | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/action.yml b/action.yml index 585dbe3..f80dc42 100644 --- a/action.yml +++ b/action.yml @@ -21,23 +21,30 @@ runs: run: | make install shell: bash + shell: bash + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + path: ${{ runner.temp }}/git-secrets-checkout + depth: 0 + - name: Debug + run: | + echo $GITHUB_WORKSPACE + ls -R $GITHUB_WORKSPACE + ls -R ${{ runner.temp }}/git-secrets-checkout + ls -l ${{ runner.temp }}/git-secrets-prefix/bin/ - name: Install run: | + cd ${{ runner.temp }}/git-secrets-checkout ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --install shell: bash - name: Register run: | + cd ${{ runner.temp }}/git-secrets-checkout ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --register-aws shell: bash - - name: Debug - run: | - echo $GITHUB_WORKSPACE - ls -R $GITHUB_WORKSPACE - ls -l ${{ runner.temp }}/git-secrets-prefix/bin/ - shell: bash - name: Scan run: | - echo $GITHUB_WORKSPACE - ls $GITHUB_WORKSPACE - ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan $GITHUB_WORKSPACE + cd ${{ runner.temp }}/git-secrets-checkout + ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan $GITHUB_WORKSPACE shell: bash From 14a19cde1b5f4d68557041850715f08ab76b038d Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 14:08:17 -0700 Subject: [PATCH 09/44] Update action.yml --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index f80dc42..c803ce2 100644 --- a/action.yml +++ b/action.yml @@ -21,7 +21,6 @@ runs: run: | make install shell: bash - shell: bash - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 with: @@ -33,6 +32,7 @@ runs: ls -R $GITHUB_WORKSPACE ls -R ${{ runner.temp }}/git-secrets-checkout ls -l ${{ runner.temp }}/git-secrets-prefix/bin/ + shell: bash - name: Install run: | cd ${{ runner.temp }}/git-secrets-checkout From d939a478911a822d78fab8d2204b29f0bb293db0 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 14:09:22 -0700 Subject: [PATCH 10/44] Update action.yml --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index c803ce2..7025d26 100644 --- a/action.yml +++ b/action.yml @@ -25,7 +25,7 @@ runs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 with: path: ${{ runner.temp }}/git-secrets-checkout - depth: 0 + fetch-depth: 0 - name: Debug run: | echo $GITHUB_WORKSPACE From bb7774fad23efa207e19880e63ba955738593227 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 14:10:39 -0700 Subject: [PATCH 11/44] Update action.yml --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 7025d26..ba9b335 100644 --- a/action.yml +++ b/action.yml @@ -24,7 +24,7 @@ runs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 with: - path: ${{ runner.temp }}/git-secrets-checkout + path: git-secrets-checkout fetch-depth: 0 - name: Debug run: | From 5882c017e151f1c66df1c8c5c70066586f65172e Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 14:11:06 -0700 Subject: [PATCH 12/44] Update action.yml --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index ba9b335..82d5fcb 100644 --- a/action.yml +++ b/action.yml @@ -30,7 +30,7 @@ runs: run: | echo $GITHUB_WORKSPACE ls -R $GITHUB_WORKSPACE - ls -R ${{ runner.temp }}/git-secrets-checkout + ls -R $GITHUB_WORKSPACE/git-secrets-checkout ls -l ${{ runner.temp }}/git-secrets-prefix/bin/ shell: bash - name: Install From 6a8d9b1768660aab558a997ab898eb51946880dc Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 14:13:05 -0700 Subject: [PATCH 13/44] Update action.yml --- action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/action.yml b/action.yml index 82d5fcb..b0b3ce1 100644 --- a/action.yml +++ b/action.yml @@ -35,16 +35,16 @@ runs: shell: bash - name: Install run: | - cd ${{ runner.temp }}/git-secrets-checkout + cd $GITHUB_WORKSPACE/git-secrets-checkout ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --install shell: bash - name: Register run: | - cd ${{ runner.temp }}/git-secrets-checkout + cd $GITHUB_WORKSPACE/git-secrets-checkout ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --register-aws shell: bash - name: Scan run: | - cd ${{ runner.temp }}/git-secrets-checkout + cd $GITHUB_WORKSPACE/git-secrets-checkout ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan $GITHUB_WORKSPACE shell: bash From a402730f932061f06931a6e50493c2e0f3001628 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 14:18:17 -0700 Subject: [PATCH 14/44] Update action.yml --- action.yml | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/action.yml b/action.yml index b0b3ce1..681d198 100644 --- a/action.yml +++ b/action.yml @@ -28,23 +28,21 @@ runs: fetch-depth: 0 - name: Debug run: | - echo $GITHUB_WORKSPACE - ls -R $GITHUB_WORKSPACE - ls -R $GITHUB_WORKSPACE/git-secrets-checkout ls -l ${{ runner.temp }}/git-secrets-prefix/bin/ shell: bash - name: Install run: | cd $GITHUB_WORKSPACE/git-secrets-checkout + echo "Terminal is : $TERM" ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --install shell: bash - - name: Register - run: | - cd $GITHUB_WORKSPACE/git-secrets-checkout - ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --register-aws - shell: bash - - name: Scan - run: | - cd $GITHUB_WORKSPACE/git-secrets-checkout - ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan $GITHUB_WORKSPACE - shell: bash + # - name: Register + # run: | + # cd $GITHUB_WORKSPACE/git-secrets-checkout + # ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --register-aws + # shell: bash + # - name: Scan + # run: | + # cd $GITHUB_WORKSPACE/git-secrets-checkout + # ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan $GITHUB_WORKSPACE + # shell: bash From 9832b945d2d126a6fd83dda7d5067b190e467679 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 14:24:03 -0700 Subject: [PATCH 15/44] Update action.yml --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 681d198..a224b68 100644 --- a/action.yml +++ b/action.yml @@ -13,7 +13,7 @@ runs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 with: repository: 'awslabs/git-secrets' - ref: 'ad82d68ee924906a0401dfd48de5057731a9bc84' #v1.3.0 + ref: '5357e18bc27b42a827b6780564ea873a72ca1f01' # 2025-06-30 because tags are outdated - env: PREFIX : ${{ runner.temp }}/git-secrets-prefix MANPREFIX: ${{ runner.temp }}/git-secrets-manprefix From a1bcd4cd418d867922539073569793013fadac2c Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 14:25:26 -0700 Subject: [PATCH 16/44] Update action.yml --- action.yml | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/action.yml b/action.yml index a224b68..e3899b7 100644 --- a/action.yml +++ b/action.yml @@ -33,16 +33,15 @@ runs: - name: Install run: | cd $GITHUB_WORKSPACE/git-secrets-checkout - echo "Terminal is : $TERM" ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --install shell: bash - # - name: Register - # run: | - # cd $GITHUB_WORKSPACE/git-secrets-checkout - # ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --register-aws - # shell: bash - # - name: Scan - # run: | - # cd $GITHUB_WORKSPACE/git-secrets-checkout - # ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan $GITHUB_WORKSPACE - # shell: bash + - name: Register + run: | + cd $GITHUB_WORKSPACE/git-secrets-checkout + ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --register-aws + shell: bash + - name: Scan + run: | + cd $GITHUB_WORKSPACE/git-secrets-checkout + ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan + shell: bash From c99da7f0f162f488d3e38f741056c81f869792d7 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 14:32:09 -0700 Subject: [PATCH 17/44] Update action.yml --- action.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/action.yml b/action.yml index e3899b7..86a8bb7 100644 --- a/action.yml +++ b/action.yml @@ -19,6 +19,7 @@ runs: MANPREFIX: ${{ runner.temp }}/git-secrets-manprefix name: Make run: | + # make git-secrets make install shell: bash - name: Checkout @@ -26,22 +27,22 @@ runs: with: path: git-secrets-checkout fetch-depth: 0 - - name: Debug - run: | - ls -l ${{ runner.temp }}/git-secrets-prefix/bin/ - shell: bash - name: Install run: | + # install git-secrets cd $GITHUB_WORKSPACE/git-secrets-checkout ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --install shell: bash - name: Register run: | + # register git-secrets cd $GITHUB_WORKSPACE/git-secrets-checkout ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --register-aws shell: bash - name: Scan run: | + # scan with git-secrets cd $GITHUB_WORKSPACE/git-secrets-checkout + export PATH=PATH:${{ runner.temp }}/git-secrets-prefix/bin/ ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan shell: bash From b3877e1470b5116de151ea50d05e59111cb473f9 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 14:33:02 -0700 Subject: [PATCH 18/44] Update action.yml --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 86a8bb7..bb623ee 100644 --- a/action.yml +++ b/action.yml @@ -43,6 +43,6 @@ runs: run: | # scan with git-secrets cd $GITHUB_WORKSPACE/git-secrets-checkout - export PATH=PATH:${{ runner.temp }}/git-secrets-prefix/bin/ + export PATH=$PATH:${{ runner.temp }}/git-secrets-prefix/bin/ ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan shell: bash From 0c2dde70e99128b0ef9355cecd3c3de4b2b177ec Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 14:47:06 -0700 Subject: [PATCH 19/44] Update action.yml --- action.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/action.yml b/action.yml index bb623ee..9e58e33 100644 --- a/action.yml +++ b/action.yml @@ -39,6 +39,19 @@ runs: cd $GITHUB_WORKSPACE/git-secrets-checkout ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --register-aws shell: bash + - name: List + run: | + # list git-secrets + cd $GITHUB_WORKSPACE/git-secrets-checkout + ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --list + shell: bash + - name: Test + run: | + # scan with git-secrets + cd $GITHUB_WORKSPACE/git-secrets-checkout + export PATH=$PATH:${{ runner.temp }}/git-secrets-prefix/bin/ + echo "ASAIZ1234567890123456" | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - + shell: bash - name: Scan run: | # scan with git-secrets From e062b28254c71fa1df74cf9b615c046d94d931e7 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 14:49:00 -0700 Subject: [PATCH 20/44] Update action.yml --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 9e58e33..a12c2fc 100644 --- a/action.yml +++ b/action.yml @@ -50,7 +50,7 @@ runs: # scan with git-secrets cd $GITHUB_WORKSPACE/git-secrets-checkout export PATH=$PATH:${{ runner.temp }}/git-secrets-prefix/bin/ - echo "ASAIZ1234567890123456" | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - + echo "ASIA1234567890123456" | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - shell: bash - name: Scan run: | From 6111444e0bb39cb6e1f2b85ece389dca144fa48f Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 15:24:41 -0700 Subject: [PATCH 21/44] Update action.yml --- action.yml | 83 +++++++++++++++++++++++++++++++++++------------------- 1 file changed, 54 insertions(+), 29 deletions(-) diff --git a/action.yml b/action.yml index a12c2fc..79b2eef 100644 --- a/action.yml +++ b/action.yml @@ -1,61 +1,86 @@ --- -# Description +# EXAMPLE USAGE # -# USAGE -# -# - uses: git-secrets/TBD -name: git-secrets -description: Run git secrets +# - uses: git-secrets/scan +# with: +# checkout: true +# version: '5357e18bc27b42a827b6780564ea873a72ca1f01' + +branding: + color: 'orange' + icon: 'activity' +description: Scan the repository history with git-secrets with register-aws +inputs: + checkout: + default: true + description: 'If "true" will checkout with fetch-depth equal to zero and all the rest defaults, if "false" assumed already checked out' + required: false + type: boolean + version: + default: '5357e18bc27b42a827b6780564ea873a72ca1f01' + description: 'The version or hash of git-secrets' + required: false + type: string +name: scan runs: - using: "composite" steps: - - name: Checkout + + - name: Checkout awslabs/git-secrets uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 with: repository: 'awslabs/git-secrets' - ref: '5357e18bc27b42a827b6780564ea873a72ca1f01' # 2025-06-30 because tags are outdated + ref: ${{ inputs.ref }} + path: $GITHUB_WORKSPACE/git-secrets-repository + - env: PREFIX : ${{ runner.temp }}/git-secrets-prefix MANPREFIX: ${{ runner.temp }}/git-secrets-manprefix - name: Make + name: Install git-secrets run: | # make git-secrets + cd $GITHUB_WORKSPACE/git-secrets-repository # MUST MATCH ABOVE make install shell: bash - - name: Checkout + + - name: Remove the awslabs/git-secrets Repository (don't scan itself) + run: | + # remove git-secrets repository + rm -r -f $GITHUB_WORKSPACE/git-secrets-repository # MUST MATCH ABOVE + shell: bash + + - if: inputs.checkout + name: Checkout the repository to scan history uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 with: - path: git-secrets-checkout - fetch-depth: 0 - - name: Install + fetch-depth: 0 # to scan history + + - name: Install git-secrets into the repository run: | # install git-secrets - cd $GITHUB_WORKSPACE/git-secrets-checkout + # cd $GITHUB_WORKSPACE/git-secrets-checkout ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --install shell: bash - - name: Register + + - name: Register AWS for the respository run: | # register git-secrets - cd $GITHUB_WORKSPACE/git-secrets-checkout + # cd $GITHUB_WORKSPACE/git-secrets-checkout ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --register-aws shell: bash - - name: List + + - name: List the git-secrets for the repository run: | # list git-secrets - cd $GITHUB_WORKSPACE/git-secrets-checkout + # cd $GITHUB_WORKSPACE/git-secrets-checkout ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --list shell: bash - - name: Test + + - name: Scan the history for the reposistory run: | # scan with git-secrets - cd $GITHUB_WORKSPACE/git-secrets-checkout + # cd $GITHUB_WORKSPACE/git-secrets-checkout export PATH=$PATH:${{ runner.temp }}/git-secrets-prefix/bin/ - echo "ASIA1234567890123456" | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - - shell: bash - - name: Scan - run: | - # scan with git-secrets - cd $GITHUB_WORKSPACE/git-secrets-checkout - export PATH=$PATH:${{ runner.temp }}/git-secrets-prefix/bin/ - ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan + ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan-history shell: bash + + using: "composite" From 05d73eb305ba9fd918b883c3c5793e82ef04b9a7 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 15:27:55 -0700 Subject: [PATCH 22/44] Update action.yml --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 79b2eef..fc379dd 100644 --- a/action.yml +++ b/action.yml @@ -30,7 +30,7 @@ runs: with: repository: 'awslabs/git-secrets' ref: ${{ inputs.ref }} - path: $GITHUB_WORKSPACE/git-secrets-repository + path: git-secrets-repository - env: PREFIX : ${{ runner.temp }}/git-secrets-prefix From f8fc42c92517a5ced85163b6da2e7a8d98bdbb4b Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 15:59:53 -0700 Subject: [PATCH 23/44] Update action.yml --- action.yml | 31 ++++--------------------------- 1 file changed, 4 insertions(+), 27 deletions(-) diff --git a/action.yml b/action.yml index fc379dd..e760273 100644 --- a/action.yml +++ b/action.yml @@ -38,13 +38,9 @@ runs: name: Install git-secrets run: | # make git-secrets - cd $GITHUB_WORKSPACE/git-secrets-repository # MUST MATCH ABOVE - make install - shell: bash - - - name: Remove the awslabs/git-secrets Repository (don't scan itself) - run: | - # remove git-secrets repository + cd $GITHUB_WORKSPACE/git-secrets-repository; # MUST MATCH ABOVE + make install; + cd $GITHUB_WORKSPACE rm -r -f $GITHUB_WORKSPACE/git-secrets-repository # MUST MATCH ABOVE shell: bash @@ -57,29 +53,10 @@ runs: - name: Install git-secrets into the repository run: | # install git-secrets - # cd $GITHUB_WORKSPACE/git-secrets-checkout + export PATH=$PATH:${{ runner.temp }}/git-secrets-prefix/bin/ ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --install - shell: bash - - - name: Register AWS for the respository - run: | - # register git-secrets - # cd $GITHUB_WORKSPACE/git-secrets-checkout ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --register-aws - shell: bash - - - name: List the git-secrets for the repository - run: | - # list git-secrets - # cd $GITHUB_WORKSPACE/git-secrets-checkout ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --list - shell: bash - - - name: Scan the history for the reposistory - run: | - # scan with git-secrets - # cd $GITHUB_WORKSPACE/git-secrets-checkout - export PATH=$PATH:${{ runner.temp }}/git-secrets-prefix/bin/ ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan-history shell: bash From 6fab6e86d764d99a117738b827c6e9b3e350ceff Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 16:01:08 -0700 Subject: [PATCH 24/44] Update action.yml --- action.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/action.yml b/action.yml index e760273..38fc24b 100644 --- a/action.yml +++ b/action.yml @@ -57,6 +57,8 @@ runs: ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --install ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --register-aws ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --list + ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --list + echo "ANPAJ2UCCR6DPCEXAMPLE" | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan-history shell: bash From 9fc8bcabff1d6a71be4b870895aa0d76bb392abd Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 16:11:44 -0700 Subject: [PATCH 25/44] Update action.yml --- action.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 38fc24b..44e3ec4 100644 --- a/action.yml +++ b/action.yml @@ -57,8 +57,7 @@ runs: ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --install ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --register-aws ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --list - ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --list - echo "ANPAJ2UCCR6DPCEXAMPLE" | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - + echo "AKIAI44QH8DHBEXAMPLE" | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan-history shell: bash From cbc2a64865bbb0d191f980f0c93f02c223dcf724 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 16:13:30 -0700 Subject: [PATCH 26/44] Update action.yml --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 44e3ec4..d3d387f 100644 --- a/action.yml +++ b/action.yml @@ -57,7 +57,7 @@ runs: ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --install ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --register-aws ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --list - echo "AKIAI44QH8DHBEXAMPLE" | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - + echo "ANPAJ2UCCR6DPCEXAMPLE" | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan-history shell: bash From a8e00766728e33efd7a16bd8cf8cb5cc5d5ede04 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 17:52:18 -0700 Subject: [PATCH 27/44] Update action.yml --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index d3d387f..5cd3b49 100644 --- a/action.yml +++ b/action.yml @@ -57,7 +57,7 @@ runs: ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --install ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --register-aws ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --list - echo "ANPAJ2UCCR6DPCEXAMPLE" | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - + echo "je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY" | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - || echo "simulated error" ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan-history shell: bash From 07fe33f47869c65154973678964951e4668237db Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 17:54:07 -0700 Subject: [PATCH 28/44] Update action.yml --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 5cd3b49..17ea24c 100644 --- a/action.yml +++ b/action.yml @@ -57,7 +57,7 @@ runs: ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --install ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --register-aws ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --list - echo "je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY" | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - || echo "simulated error" + echo "AKIAI44QH8DHBEXAMPLE" | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - || echo "simulated error" ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan-history shell: bash From f3a81e332ee97fa6f7a8ce389c029cdf4a82b275 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 30 Jun 2025 17:58:17 -0700 Subject: [PATCH 29/44] Update action.yml --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 17ea24c..5cd3b49 100644 --- a/action.yml +++ b/action.yml @@ -57,7 +57,7 @@ runs: ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --install ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --register-aws ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --list - echo "AKIAI44QH8DHBEXAMPLE" | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - || echo "simulated error" + echo "je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY" | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - || echo "simulated error" ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan-history shell: bash From 24749fab97f0402c52b7a5a2c1317bfed08be1dc Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Tue, 2 Dec 2025 18:54:44 -0800 Subject: [PATCH 30/44] Add fetch-depth input to action.yml --- action.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 5cd3b49..8040014 100644 --- a/action.yml +++ b/action.yml @@ -16,7 +16,12 @@ inputs: description: 'If "true" will checkout with fetch-depth equal to zero and all the rest defaults, if "false" assumed already checked out' required: false type: boolean - version: + fetch-depth: + default: '0' + description: 'If "true" will checkout with fetch-depth equal to zero and all the rest defaults, if "false" assumed already checked out' + required: false + type: string + ref: default: '5357e18bc27b42a827b6780564ea873a72ca1f01' description: 'The version or hash of git-secrets' required: false @@ -48,7 +53,7 @@ runs: name: Checkout the repository to scan history uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 with: - fetch-depth: 0 # to scan history + fetch-depth: ${{ inputs.fetch-depth }} # to scan history - name: Install git-secrets into the repository run: | From 315c844d16115bd748dbde9a04390790fd88e960 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Tue, 2 Dec 2025 19:26:56 -0800 Subject: [PATCH 31/44] List contents of git-secrets-repository Add a command to list contents of git-secrets-repository --- action.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/action.yml b/action.yml index 8040014..6f20733 100644 --- a/action.yml +++ b/action.yml @@ -36,6 +36,8 @@ runs: repository: 'awslabs/git-secrets' ref: ${{ inputs.ref }} path: git-secrets-repository + - run: | + ls $GITHUB_WORKSPACE/git-secrets-repository; - env: PREFIX : ${{ runner.temp }}/git-secrets-prefix From 3c11ee474278a8211edcdbd738a6f8cfa277fd87 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Tue, 2 Dec 2025 19:27:53 -0800 Subject: [PATCH 32/44] Update action.yml --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 6f20733..a1530ca 100644 --- a/action.yml +++ b/action.yml @@ -38,7 +38,7 @@ runs: path: git-secrets-repository - run: | ls $GITHUB_WORKSPACE/git-secrets-repository; - + shell: bash - env: PREFIX : ${{ runner.temp }}/git-secrets-prefix MANPREFIX: ${{ runner.temp }}/git-secrets-manprefix From c94090734ae3ce0b6140fe6929362465fe1103ab Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Tue, 2 Dec 2025 19:40:57 -0800 Subject: [PATCH 33/44] Update action.yml --- action.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/action.yml b/action.yml index a1530ca..5b61b08 100644 --- a/action.yml +++ b/action.yml @@ -61,10 +61,17 @@ runs: run: | # install git-secrets export PATH=$PATH:${{ runner.temp }}/git-secrets-prefix/bin/ + + echo "Install git-secrets" ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --install + echo "Register AWS" ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --register-aws + echo "List git-secrets" ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --list - echo "je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY" | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - || echo "simulated error" + echo "Simulate a skipped secret" + echo "AKIAIOSFODNN7EXAMPLE" | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - || echo "simulated error" + echo "Simulate a skipped real secret" + echo "AKIAEXAMPLE77EXAMPLE" | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - || echo "simulated error" ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan-history shell: bash From 3dc1140109fab21150c40c938224b214f3a92692 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Wed, 3 Dec 2025 16:34:28 -0800 Subject: [PATCH 34/44] Done --- action.yml | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/action.yml b/action.yml index 5b61b08..f173fde 100644 --- a/action.yml +++ b/action.yml @@ -26,6 +26,14 @@ inputs: description: 'The version or hash of git-secrets' required: false type: string + scan-type: + default: '--scan-history' + description: 'The type of scan' + required: false + type: choice + options: + - '--scan-history' + - '--scan' name: scan runs: steps: @@ -66,13 +74,17 @@ runs: ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --install echo "Register AWS" ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --register-aws + + echo "Test AWS Secrets Detection" + ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --aws-provider | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - || echo "Detected secrets correctly" + echo "List git-secrets" ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --list - echo "Simulate a skipped secret" - echo "AKIAIOSFODNN7EXAMPLE" | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - || echo "simulated error" - echo "Simulate a skipped real secret" - echo "AKIAEXAMPLE77EXAMPLE" | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - || echo "simulated error" - ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan-history + shell: bash + + - name: Scan with git-secrets + run: | + ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets ${{ inputs.scan-type }} shell: bash using: "composite" From 6ffe091a5f7ff161d45e15580f5abc58617d4c77 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Wed, 3 Dec 2025 16:37:31 -0800 Subject: [PATCH 35/44] Update action.yml --- action.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/action.yml b/action.yml index f173fde..0de3809 100644 --- a/action.yml +++ b/action.yml @@ -83,7 +83,9 @@ runs: shell: bash - name: Scan with git-secrets - run: | + run: | + export PATH=$PATH:${{ runner.temp }}/git-secrets-prefix/bin/ + ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets ${{ inputs.scan-type }} shell: bash From b8e2fc147d62ad3812a1c6ed5d0f8e7f8039faf1 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 4 Dec 2025 07:58:05 -0800 Subject: [PATCH 36/44] constants --- action.yml | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/action.yml b/action.yml index 0de3809..627028f 100644 --- a/action.yml +++ b/action.yml @@ -35,6 +35,8 @@ inputs: - '--scan-history' - '--scan' name: scan +env: + GIT_SECRETS_REPOSITORY_PATH : git-secrets-repository runs: steps: @@ -43,20 +45,21 @@ runs: with: repository: 'awslabs/git-secrets' ref: ${{ inputs.ref }} - path: git-secrets-repository + path: $GIT_SECRETS_REPOSITORY_PATH - run: | - ls $GITHUB_WORKSPACE/git-secrets-repository; + ls $GITHUB_WORKSPACE/$GIT_SECRETS_REPOSITORY_PATH; shell: bash - env: PREFIX : ${{ runner.temp }}/git-secrets-prefix MANPREFIX: ${{ runner.temp }}/git-secrets-manprefix - name: Install git-secrets + name: Make git-secrets run: | - # make git-secrets - cd $GITHUB_WORKSPACE/git-secrets-repository; # MUST MATCH ABOVE + # Make git-secrets + cd $GITHUB_WORKSPACE/$GIT_SECRETS_REPOSITORY_PATH; # MUST MATCH ABOVE make install; cd $GITHUB_WORKSPACE - rm -r -f $GITHUB_WORKSPACE/git-secrets-repository # MUST MATCH ABOVE + rm -r -f $GITHUB_WORKSPACE/$GIT_SECRETS_REPOSITORY_PATH # MUST MATCH ABOVE + echo "${{ runner.temp }}/git-secrets-prefix/bin/" >> "$GITHUB_PATH" shell: bash - if: inputs.checkout @@ -68,7 +71,8 @@ runs: - name: Install git-secrets into the repository run: | # install git-secrets - export PATH=$PATH:${{ runner.temp }}/git-secrets-prefix/bin/ + echo $PATH + # export PATH=$PATH:${{ runner.temp }}/git-secrets-prefix/bin/ echo "Install git-secrets" ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --install @@ -84,7 +88,7 @@ runs: - name: Scan with git-secrets run: | - export PATH=$PATH:${{ runner.temp }}/git-secrets-prefix/bin/ + # export PATH=$PATH:${{ runner.temp }}/git-secrets-prefix/bin/ ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets ${{ inputs.scan-type }} shell: bash From 1ef9b19e2cd210728abf53783fc7388b70c5f5fc Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 4 Dec 2025 08:00:13 -0800 Subject: [PATCH 37/44] env --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 627028f..c283658 100644 --- a/action.yml +++ b/action.yml @@ -45,7 +45,7 @@ runs: with: repository: 'awslabs/git-secrets' ref: ${{ inputs.ref }} - path: $GIT_SECRETS_REPOSITORY_PATH + path: ${{ env.GIT_SECRETS_REPOSITORY_PATH }} - run: | ls $GITHUB_WORKSPACE/$GIT_SECRETS_REPOSITORY_PATH; shell: bash From 14a9e73ac612b2966dbd4ec50af103dbf665affe Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 4 Dec 2025 08:03:55 -0800 Subject: [PATCH 38/44] pwd --- action.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/action.yml b/action.yml index c283658..0815c5d 100644 --- a/action.yml +++ b/action.yml @@ -46,8 +46,10 @@ runs: repository: 'awslabs/git-secrets' ref: ${{ inputs.ref }} path: ${{ env.GIT_SECRETS_REPOSITORY_PATH }} - - run: | + - run: | ls $GITHUB_WORKSPACE/$GIT_SECRETS_REPOSITORY_PATH; + cd $GITHUB_WORKSPACE/$GIT_SECRETS_REPOSITORY_PATH; + pwd shell: bash - env: PREFIX : ${{ runner.temp }}/git-secrets-prefix From 1f3c06f9f958c3986f29b046fe2fe0b30579a095 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 4 Dec 2025 08:41:11 -0800 Subject: [PATCH 39/44] consolidated --- action.yml | 66 +++++++++++++++++++++++++----------------------------- 1 file changed, 31 insertions(+), 35 deletions(-) diff --git a/action.yml b/action.yml index 0815c5d..d7beb6a 100644 --- a/action.yml +++ b/action.yml @@ -1,11 +1,14 @@ --- +# Scan with git-secrets +# # EXAMPLE USAGE # -# - uses: git-secrets/scan +# - uses: awslabs/git-secrets # with: # checkout: true -# version: '5357e18bc27b42a827b6780564ea873a72ca1f01' - +# fetch-depth: 0 +# ref: 'main' +# scan-type: '--scan-history' branding: color: 'orange' icon: 'activity' @@ -13,17 +16,17 @@ description: Scan the repository history with git-secrets with register-aws inputs: checkout: default: true - description: 'If "true" will checkout with fetch-depth equal to zero and all the rest defaults, if "false" assumed already checked out' + description: 'If "true" will checkout, otherwise the GITHUB_WORKSPACE already checked out' required: false type: boolean fetch-depth: default: '0' - description: 'If "true" will checkout with fetch-depth equal to zero and all the rest defaults, if "false" assumed already checked out' + description: 'The fetch-depth if `checkout` is "true", ignored otherwise' required: false type: string ref: - default: '5357e18bc27b42a827b6780564ea873a72ca1f01' - description: 'The version or hash of git-secrets' + default: 'main' # '5357e18bc27b42a827b6780564ea873a72ca1f01' + description: 'The version, ref, or hash of awslabs/git-secrets to use' required: false type: string scan-type: @@ -35,20 +38,23 @@ inputs: - '--scan-history' - '--scan' name: scan -env: - GIT_SECRETS_REPOSITORY_PATH : git-secrets-repository runs: steps: - + - name: Setup environmental variables + run: | + # Setup environmental variables + echo "GIT_SECRETS_REPOSITORY_PATH=${{ runner.temp }}/git-secrets-repository" >> "$GITHUB_ENV" + shell: bash - name: Checkout awslabs/git-secrets uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 with: repository: 'awslabs/git-secrets' ref: ${{ inputs.ref }} - path: ${{ env.GIT_SECRETS_REPOSITORY_PATH }} - - run: | - ls $GITHUB_WORKSPACE/$GIT_SECRETS_REPOSITORY_PATH; - cd $GITHUB_WORKSPACE/$GIT_SECRETS_REPOSITORY_PATH; + path: $GIT_SECRETS_REPOSITORY_PATH + - name: Remove this later + run: | + ls $GIT_SECRETS_REPOSITORY_PATH; + cd $GIT_SECRETS_REPOSITORY_PATH; pwd shell: bash - env: @@ -57,42 +63,32 @@ runs: name: Make git-secrets run: | # Make git-secrets - cd $GITHUB_WORKSPACE/$GIT_SECRETS_REPOSITORY_PATH; # MUST MATCH ABOVE + cd $GIT_SECRETS_REPOSITORY_PATH make install; cd $GITHUB_WORKSPACE - rm -r -f $GITHUB_WORKSPACE/$GIT_SECRETS_REPOSITORY_PATH # MUST MATCH ABOVE - echo "${{ runner.temp }}/git-secrets-prefix/bin/" >> "$GITHUB_PATH" + rm -r -f $GIT_SECRETS_REPOSITORY_PATH + echo "$PREFIX/bin/" >> "$GITHUB_PATH" shell: bash - - if: inputs.checkout name: Checkout the repository to scan history uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 with: fetch-depth: ${{ inputs.fetch-depth }} # to scan history - - - name: Install git-secrets into the repository + - name: Install git-secrets run: | - # install git-secrets + # Install git-secrets echo $PATH - # export PATH=$PATH:${{ runner.temp }}/git-secrets-prefix/bin/ - echo "Install git-secrets" - ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --install + git-secrets --install echo "Register AWS" - ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --register-aws - - echo "Test AWS Secrets Detection" - ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --aws-provider | ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --scan - || echo "Detected secrets correctly" - + git-secrets --register-aws echo "List git-secrets" - ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets --list + git-secrets --list shell: bash - - name: Scan with git-secrets run: | - # export PATH=$PATH:${{ runner.temp }}/git-secrets-prefix/bin/ - - ${{ runner.temp }}/git-secrets-prefix/bin/git-secrets ${{ inputs.scan-type }} + # Scan with git-secrets + echo "Scan with git-secrets" + git-secrets ${{ inputs.scan-type }} shell: bash - using: "composite" From eaf29fdd6e21a57753ca4d2e2bec136885b55799 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 4 Dec 2025 08:52:16 -0800 Subject: [PATCH 40/44] path ref --- action.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/action.yml b/action.yml index d7beb6a..f5c37d1 100644 --- a/action.yml +++ b/action.yml @@ -45,14 +45,18 @@ runs: # Setup environmental variables echo "GIT_SECRETS_REPOSITORY_PATH=${{ runner.temp }}/git-secrets-repository" >> "$GITHUB_ENV" shell: bash + - run: | + # DEBUG 1 + echo $GIT_SECRETS_REPOSITORY_PATH; + shell: bash - name: Checkout awslabs/git-secrets uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 with: repository: 'awslabs/git-secrets' ref: ${{ inputs.ref }} - path: $GIT_SECRETS_REPOSITORY_PATH - - name: Remove this later - run: | + path: ${{ env.GIT_SECRETS_REPOSITORY_PATH }} + - run: | + # DEBUG 2 ls $GIT_SECRETS_REPOSITORY_PATH; cd $GIT_SECRETS_REPOSITORY_PATH; pwd From 7ad8ca528c123b0594dcb4d7c4436d5911c9c4da Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 4 Dec 2025 08:56:31 -0800 Subject: [PATCH 41/44] GITHUB_WORKSPACE --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index f5c37d1..657fa4a 100644 --- a/action.yml +++ b/action.yml @@ -43,7 +43,7 @@ runs: - name: Setup environmental variables run: | # Setup environmental variables - echo "GIT_SECRETS_REPOSITORY_PATH=${{ runner.temp }}/git-secrets-repository" >> "$GITHUB_ENV" + echo "GIT_SECRETS_REPOSITORY_PATH=$GITHUB_WORKSPACE/git-secrets-repository" >> "$GITHUB_ENV" shell: bash - run: | # DEBUG 1 From c285b1093ce70458725dd7f96c128a4b7fb247e3 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 4 Dec 2025 09:52:50 -0800 Subject: [PATCH 42/44] default branch --- action.yml | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/action.yml b/action.yml index 657fa4a..ec66ac5 100644 --- a/action.yml +++ b/action.yml @@ -8,7 +8,7 @@ # checkout: true # fetch-depth: 0 # ref: 'main' -# scan-type: '--scan-history' +# scan-type: '--scan' branding: color: 'orange' icon: 'activity' @@ -25,18 +25,18 @@ inputs: required: false type: string ref: - default: 'main' # '5357e18bc27b42a827b6780564ea873a72ca1f01' + default: '' # the default branch description: 'The version, ref, or hash of awslabs/git-secrets to use' required: false type: string scan-type: - default: '--scan-history' + default: '--scan' description: 'The type of scan' required: false type: choice options: - - '--scan-history' - '--scan' + - '--scan-history' name: scan runs: steps: @@ -45,22 +45,12 @@ runs: # Setup environmental variables echo "GIT_SECRETS_REPOSITORY_PATH=$GITHUB_WORKSPACE/git-secrets-repository" >> "$GITHUB_ENV" shell: bash - - run: | - # DEBUG 1 - echo $GIT_SECRETS_REPOSITORY_PATH; - shell: bash - name: Checkout awslabs/git-secrets uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 with: repository: 'awslabs/git-secrets' ref: ${{ inputs.ref }} path: ${{ env.GIT_SECRETS_REPOSITORY_PATH }} - - run: | - # DEBUG 2 - ls $GIT_SECRETS_REPOSITORY_PATH; - cd $GIT_SECRETS_REPOSITORY_PATH; - pwd - shell: bash - env: PREFIX : ${{ runner.temp }}/git-secrets-prefix MANPREFIX: ${{ runner.temp }}/git-secrets-manprefix From 611c531acf09cfffabaf42f45b9dce83d2d3551b Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 4 Dec 2025 10:20:44 -0800 Subject: [PATCH 43/44] cleanup --- action.yml | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/action.yml b/action.yml index ec66ac5..64f812d 100644 --- a/action.yml +++ b/action.yml @@ -7,7 +7,7 @@ # with: # checkout: true # fetch-depth: 0 -# ref: 'main' +# ref: '' # scan-type: '--scan' branding: color: 'orange' @@ -25,8 +25,8 @@ inputs: required: false type: string ref: - default: '' # the default branch - description: 'The version, ref, or hash of awslabs/git-secrets to use' + default: '' + description: 'A version, ref, or hash of awslabs/git-secrets to use with the default branch as the default' required: false type: string scan-type: @@ -59,9 +59,11 @@ runs: # Make git-secrets cd $GIT_SECRETS_REPOSITORY_PATH make install; + # Add to the PATH + echo "$PREFIX/bin/" >> "$GITHUB_PATH" + # No longer need the source cd $GITHUB_WORKSPACE rm -r -f $GIT_SECRETS_REPOSITORY_PATH - echo "$PREFIX/bin/" >> "$GITHUB_PATH" shell: bash - if: inputs.checkout name: Checkout the repository to scan history @@ -70,14 +72,15 @@ runs: fetch-depth: ${{ inputs.fetch-depth }} # to scan history - name: Install git-secrets run: | - # Install git-secrets - echo $PATH - echo "Install git-secrets" + echo "::group::Install git-secrets" git-secrets --install - echo "Register AWS" + echo "::endgroup::" + echo "::group::Register AWS" git-secrets --register-aws - echo "List git-secrets" + echo "::endgroup::" + echo "::group::List git-secrets" git-secrets --list + echo "::endgroup::" shell: bash - name: Scan with git-secrets run: | From c8367e34feb1153fce6ed395186974fae7ffc92e Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 4 Dec 2025 10:42:49 -0800 Subject: [PATCH 44/44] list .gitallowed --- action.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/action.yml b/action.yml index 64f812d..b147e7a 100644 --- a/action.yml +++ b/action.yml @@ -81,6 +81,9 @@ runs: echo "::group::List git-secrets" git-secrets --list echo "::endgroup::" + echo "::group::Allowed git-secrets" + cat .gitallowed || echo "" + echo "::endgroup::" shell: bash - name: Scan with git-secrets run: |