-
Notifications
You must be signed in to change notification settings - Fork 5
/
action.yaml
63 lines (55 loc) · 2.02 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
name: PSSecretScanner
description: Scan for secrets in your source files.
branding:
icon: lock
color: red
runs:
using: "composite"
steps:
- name: Scan for secrets
id: Scan
shell: pwsh
run: |
$PSD1Found = Get-ChildItem -Recurse -Filter "*.psd1" | Where-Object Name -eq 'PSSecretScanner.psd1' | Select-Object -First 1
if ($PSD1Found) {
$PSSecretScannerModulePath = $PSD1Found
Import-Module $PSD1Found -Force -PassThru | Out-Host
}
elseif ($env:GITHUB_ACTION_PATH) {
$PSSecretScannerModulePath = Join-Path $env:GITHUB_ACTION_PATH 'Source/PSSecretScanner.psd1'
if (Test-path $PSSecretScannerModulePath) {
Import-Module $PSSecretScannerModulePath -Force -PassThru | Out-Host
}
else {
throw "PSSecretScanner not found"
}
}
else {
try {
Import-Module PSSecretScanner
}
catch {
throw 'Cant find PSSecretScanner module.'
}
}
$FindSplat = @{}
$ExcludePath = Join-Path -Path (git rev-parse --show-toplevel) -ChildPath '.ignoresecrets'
if (Test-Path $ExcludePath) {
$FindSplat.Add('Excludelist',$ExcludePath)
}
$Secrets = Find-Secret @FindSplat
Write-Output "::group::Scanned files"
Write-Output "Scanned $($Secrets.ScanFiles.Count) files"
Write-Output $Secrets.ScanFiles.FullName
Write-Output "::endgroup::"
if ($Secrets.Count -ne 0) {
foreach ($r in $Secrets.Results) {
Write-Output "::error title=$($r.PatternName), file=$($r.Path), line=$($r.LineNumber)::$($r.Line)"
}
Write-Error "Found secrets!"
}
else {
Write-Output "::group::Scan results"
Write-Output "::notice::No secrets found. #ShareCodeNotSecrets"
Write-Output "::endgroup::"
}