chore: adding custom gitguardian check

related to hyperledger-cacti#720 This includes gitguardian workflow + configuration file This change was necessary even if we have stock git guardian workflow action because it was not possible to be configured for exclusions. The scanner was not getting triggered by pull_request_target as expected to access the secrets environment variable so it was returned to the original pull_request. By default, secrets is not possible to be accessed by a pull request from a fork repository unless it is merged to the main repository. Hence, the original pull_request will work after merging. The test tokens used in testing were all deleted to prevent further usage of it. Signed-off-by: ruzell22 <[email protected]> Signed-off-by: Peter Somogyvari <[email protected]>
charellesandig · Apr 3, 2023 · bdd8372 · bdd8372
1 parent d28d5e8
commit bdd8372
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 0 deletions.
diff --git a/.gitguardian.yaml b/.gitguardian.yaml
@@ -0,0 +1,30 @@
+version: 2
+
+# Set to true if the desired exit code for the CLI is always 0,
+# otherwise the exit code will be 1 if incidents are found
+# the environment variable GITGUARDIAN_EXIT_ZERO=true can also be used toggle this behavior.
+exit-zero: false # default: false
+
+verbose: false # default: false
+
+instance: https://api.gitguardian.com/
+
+# Maximum commits to scan in a hook.
+max-commits-for-hook: 50 # default: 50
+
+# Accept self-signed certificates for the API.
+allow-self-signed: false # default: False
+
+secret:
+  show-secrets: false # default: false
+
+  # Exclude files and paths by globbing
+  ignored-paths:
+    - '**/README.md'
+    - 'doc/*'
+    - 'LICENSE'
+    - '**/examples/cactus-example-carbon-accounting-backend/example-config.json'
+
+  # Detectors to ignore.
+  ignored-detectors: # default: []
+    - Generic Password
diff --git a/.github/workflows/gg-shield-action.yaml b/.github/workflows/gg-shield-action.yaml
@@ -0,0 +1,34 @@
+name: GitGuardian scan
+
+on: 
+  push:
+  pull_request:
+    # Publish `main` as Docker `latest` image.
+    branches:
+      - main
+
+    # Publish `v1.2.3` tags as releases.
+    tags:
+      - v*
+
+jobs:
+  scanning:
+    name: GitGuardian scan
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+        with:
+          fetch-depth: 0 # fetch all history so multiple commits can be scanned
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: GitGuardian scan
+        uses: GitGuardian/[email protected]
+        with:
+          args: --show-secrets --exit-zero --all-policies --verbose
+        env:
+          GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
+          GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
+          GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          GITHUB_DEFAULT_BRANCH: main
+          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}