Scan artifact for leaked secrets before uploading to GitHub via Actions

273 Views Asked by At

I am using GitHub Actions to run some test scripts and then push a report as an artifact which is published via GitHub Pages.

GitHub obfuscates secrets in logs, however the test report would show the secrets.

I would like to either warn if this report HTML contains a GH secret, or obfuscate it before publishing.

I have researched SO questions and GH Actions but cannot find a solution.

1

There are 1 best solutions below

0
On

GitHub has features such as secret scanning with push protection, but they are designed to find secrets in source code. Your case is a bit different in that the secret might be leaked from GitHub Actions.

How about scanning your files with Gitleaks before uploading the artifact? It even comes with a GitHub Action.

Usage would look something like this:

- name: Generate report
  run: |
    # Code that generates files

- name: Run Gitleaks
  uses: gitleaks/[email protected]
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    GITLEAKS_NOTIFY_USER_LIST: '@yourusername'

- name: Upload artifact
  # ...

If Gitleaks finds a secret, the workflow would stop. There are more options, and using it in an organization requires a license (free for one repo, paid for more than one repo).