poc/pds
1
0
Fork 1
Code Issues Pull Requests 8 Actions Packages Projects Releases Wiki Activity

Merge pull request 'action/kingfisher' (#7) from action/kingfisher into master
All checks were successful
Scan for leaked secrets using Kingfisher / kingfisher-secrets-scan (push) Successful in 10s
Details

Browse Source 
Reviewed-on: #7
This commit was merged in pull request #7.
This commit is contained in:
jothi
2025-11-25 08:22:15 +00:00
parent 158590a399 5f23856b09
commit 8fa1f54b81
1 changed files with 62 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
.github/workflows/kingfisher-secrets-scan.yaml vendored Normal file
View File

@@ -0,0 +1,62 @@
# Filename: .github/workflows/kingfisher-secrets-scan.yaml
# Gitea Actions workflow for ACT Runner to scan for leaked secrets using Kingfisher
name: Scan for leaked secrets using Kingfisher
on:
push:
pull_request:
workflow_dispatch:
jobs:
kingfisher-secrets-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v5
- name: Get Kingfisher version and arch
id: get_version_arch
run: |
VERSION=$(curl -s https://api.github.com/repos/mongodb/kingfisher/releases/latest | jq -r '.tag_name')
echo "version=$VERSION" >> $GITHUB_OUTPUT
ARCH_RAW=$(arch)
if [ "$ARCH_RAW" = "x86_64" ]; then
ARCH="x64"
elif [ "$ARCH_RAW" = "aarch64" ]; then
ARCH="arm64"
else
echo "Unsupported architecture: $ARCH_RAW"
exit 1
fi
echo "arch=$ARCH" >> $GITHUB_OUTPUT
cat $GITHUB_OUTPUT
- name: Cache kingfisher binary
id: cache
uses: actions/cache@v4
with:
path: /usr/local/bin
key: ${{ runner.os }}-kingfisher-${{ steps.get_version_arch.outputs.version }}-${{ steps.get_version_arch.outputs.arch }}
restore-keys: |
${{ runner.os }}-kingfisher-${{ steps.get_version_arch.outputs.arch }}
- name: Install kingfisher if cache missed
if: steps.cache.outputs.cache-hit != 'true'
run: |
URL=$(curl -s https://api.github.com/repos/mongodb/kingfisher/releases/latest | \
jq -r --arg arch "${{ steps.get_version_arch.outputs.arch }}" '.assets[] |
select(.name | test("kingfisher-linux-" + $arch + "\\.tgz")) |
.browser_download_url')
echo "Downloading Kingfisher from $URL"
curl -sL $URL | tar -xz -C /usr/local/bin kingfisher
chmod +x /usr/local/bin/kingfisher
- name: Run Kingfisher scan
continue-on-error: true
run: |
kingfisher scan -n -r ${{ github.workspace }} \
--exclude='composer.lock' \
--exclude='package-lock.json'