Skip to content
Secret Scanner

chore: update submodule pointers after dogfooding CI deployment #229

Sign in to view logs

chore: update submodule pointers after dogfooding CI deployment

chore: update submodule pointers after dogfooding CI deployment #229

Workflow file for this run

.github/workflows/secret-scanner.yml at d2cc061
# SPDX-License-Identifier: PMPL-1.0-or-later
# Prevention workflow - scans for hardcoded secrets before they reach main
name: Secret Scanner
on:
pull_request:
push:
branches: [main]
permissions:
contents: read
jobs:
trufflehog:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
with:
fetch-depth: 0 # Full history for scanning
- name: TruffleHog Secret Scan
uses: trufflesecurity/trufflehog@6c05c4a00b91aa542267d8e32a8254774799d68d # v3
with:
extra_args: --only-verified
gitleaks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
with:
fetch-depth: 0
- name: Gitleaks Secret Scan
uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Rust-specific: Check for hardcoded crypto values
rust-secrets:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
- name: Check for hardcoded secrets in Rust
run: |
# Skip if no Rust files
if ! find . -name "Cargo.toml" -print -quit | grep -q .; then
echo "No Cargo.toml found, skipping Rust secret scan"
exit 0
fi
# Patterns that suggest hardcoded secrets
PATTERNS=(
'const.*SECRET.*=.*"'
'const.*KEY.*=.*"[a-zA-Z0-9]{16,}"'
'const.*TOKEN.*=.*"'
'let.*api_key.*=.*"'
'HMAC.*"[a-fA-F0-9]{32,}"'
'password.*=.*"[^"]+"'
)
found=0
for pattern in "${PATTERNS[@]}"; do
if grep -rn --include="*.rs" -E "$pattern" src/; then
echo "WARNING: Potential hardcoded secret found matching: $pattern"
found=1
fi
done
if [ $found -eq 1 ]; then
echo "::error::Potential hardcoded secrets detected. Use environment variables instead."
exit 1
fi