-
-
Notifications
You must be signed in to change notification settings - Fork 17
97 lines (90 loc) · 2.64 KB
/
gitleaks.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
---
name: gitleaks 💧
on:
push:
branches:
- main
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
branches:
- main
workflow_dispatch:
workflow_call:
inputs:
additional-args:
description: Additional arguments to pass to 'gitleaks detect'
required: false
type: string
default: ""
check-for-pii:
description: Check for any instances of PII data in the repository
required: false
type: boolean
default: false
concurrency:
group: gitleaks-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
gitleaks:
name: gitleaks 💧
runs-on: ubuntu-latest
if: >
!contains(github.event.commits[0].message, '[skip gitleaks]')
&& github.event.pull_request.draft == false
steps:
- name: Checkout repo 🛎
uses: actions/checkout@v4
- name: Download and install gitleaks 💧
run: |
cd /tmp
sudo wget -q \
"https://github.com/zricethezav/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
-O gitleaks.tar.gz || \
(echo "Error downloading gitleaks ${GITLEAKS_VERSION} tarball" && exit 1)
sudo tar -xvzf gitleaks.tar.gz || \
(echo "Error unarchiving gitleaks ${GITLEAKS_VERSION} tarball" && exit 1)
sudo mv gitleaks /usr/bin/. || \
(echo "Error moving gitleaks for /usr/bin" && exit 1)
shell: bash
env:
GITLEAKS_VERSION: "8.18.1"
- name: Run gitleaks ☔
run: gitleaks -v detect --no-git ${{ inputs.additional-args }} --source .
shell: bash
pii-check:
name: PII Check 💳
runs-on: ubuntu-latest
if: >
!contains(github.event.commits[0].message, '[skip pii-check]')
&& github.event.pull_request.draft == false
&& inputs.check-for-pii == true
steps:
- name: Checkout repo 🛎
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run Presidio to check for PII ☔
uses: insightsengineering/presidio-action@v1
with:
configuration-data: |
threshold: 0.95
ignore: |
.git
**/*.svg
**/*.png
**/*.rds
**/*.rda
**/*.jpg
**/*.gif
.gitlab-ci.yml
.Rbuildignore
_pkgdown.yml
inst/WORDLIST
**/*.RData
**/*.xlsx
output: "github"
only-changed-files: true