From 4355ad0af8f5869910a4452c453d5acfb9e0f3aa Mon Sep 17 00:00:00 2001 From: juvdiaz Date: Mon, 25 May 2026 14:16:40 -0600 Subject: [PATCH] Add Gitleaks secret scanning --- .gitea/workflows/homelab-main.yml | 38 +++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/.gitea/workflows/homelab-main.yml b/.gitea/workflows/homelab-main.yml index a8275a7..1b31d55 100644 --- a/.gitea/workflows/homelab-main.yml +++ b/.gitea/workflows/homelab-main.yml @@ -30,6 +30,44 @@ jobs: test "${ID}" = "debian" sudo -n true + - name: Scan for leaked secrets with Gitleaks + run: | + set -euo pipefail + + gitleaks_version="8.30.1" + case "$(uname -m)" in + x86_64|amd64) + gitleaks_platform="linux_x64" + gitleaks_sha256="551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb" + ;; + aarch64|arm64) + gitleaks_platform="linux_arm64" + gitleaks_sha256="e4a487ee7ccd7d3a7f7ec08657610aa3606637dab924210b3aee62570fb4b080" + ;; + *) + echo "Unsupported runner architecture: $(uname -m)" >&2 + exit 1 + ;; + esac + + tool_dir="${HOME}/.cache/homelab-tools/gitleaks/${gitleaks_version}/${gitleaks_platform}" + gitleaks_bin="${tool_dir}/gitleaks" + if [[ ! -x "${gitleaks_bin}" ]] || [[ "$("${gitleaks_bin}" version)" != "${gitleaks_version}" ]]; then + archive="gitleaks_${gitleaks_version}_${gitleaks_platform}.tar.gz" + tmpdir="$(mktemp -d)" + trap 'rm -rf "${tmpdir}"' EXIT + + curl -fsSL -o "${tmpdir}/${archive}" \ + "https://github.com/gitleaks/gitleaks/releases/download/v${gitleaks_version}/${archive}" + printf '%s %s\n' "${gitleaks_sha256}" "${tmpdir}/${archive}" | sha256sum -c - + + mkdir -p "${tool_dir}" + tar -xzf "${tmpdir}/${archive}" -C "${tmpdir}" gitleaks + install -m 0755 "${tmpdir}/gitleaks" "${gitleaks_bin}" + fi + + "${gitleaks_bin}" git --redact=100 --verbose --exit-code 1 . + - name: Validate shell, Kubernetes manifests, and OpenTofu stacks run: | set -euo pipefail