70987f7fcc
- gitleaks.yml: runs-on docker→linux-arm64,去掉 container 配置 - security-scan.yml: trivy 扫描用 podman 替代 docker - 加 fetch-depth: 0 确保 gitleaks 增量扫描有完整历史 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
31 lines
926 B
YAML
31 lines
926 B
YAML
name: gitleaks 密钥泄露扫描
|
|
|
|
on:
|
|
push:
|
|
branches: ['*']
|
|
pull_request:
|
|
branches: ['*']
|
|
|
|
jobs:
|
|
gitleaks:
|
|
runs-on: linux-arm64
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Run gitleaks
|
|
run: |
|
|
if [ "$GITHUB_EVENT_NAME" = "push" ]; then
|
|
gitleaks detect --source=. --log-opts="$GITHUB_SHA~1..$GITHUB_SHA" --verbose --exit-code 1 || {
|
|
echo "::error::gitleaks 发现了潜在的密钥泄露!请检查上方输出并移除敏感信息。"
|
|
exit 1
|
|
}
|
|
else
|
|
gitleaks detect --source=. --verbose --exit-code 1 || {
|
|
echo "::error::gitleaks 发现了潜在的密钥泄露!请检查上方输出并移除敏感信息。"
|
|
exit 1
|
|
}
|
|
fi
|
|
echo "gitleaks 扫描通过,未发现密钥泄露。"
|
