Creating github action

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 Garner Distributed Workflow
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,17 @@
+# Secret Scanner
+## The Problem
+People will sometimes commit secrets to a GitHub repository
+
+## How it works
+Uses `Yelp/detect-secrets` to look for newly committed secrets. If it finds any potential secrets, it will:
+* Fail
+* Create a Job Summary with a list of the potential secrets found, and some advice on how to deal with the issue
+* Provide an updated secrets baseline that contains the newly added secrets. This is useful if secrets that were discovered are not actually secrets.
+
+## Inputs
+|Input|Description|Required|default value|
+|-----|-----------|--------|-------------|
+|detect-secrets-version|The version of Yelp/detect-secrets to use|no|1.2.0|
+|detect-secret-additional-args|Extra arguments to pass to the `detect-secret` binary when it is looking for secrets|no|No additional arguments (empty string)|
+|baseline-file|A path to the baseline secrets file|no|.secrets.baseline|
+|python-version|The version of python to use|no|3.10.4|

action.yml

@@ -0,0 +1,43 @@
+name: 'Secret Scanner'
+author: 'GarnerCorp'
+description: 'Scan for secrets in a repository'
+branding:
+  icon: 'eye'
+  color: 'orange'
+
+inputs:
+  detect-secrets-version:
+    description: 'The version of Yelp/detect-secrets to use'
+    required: false
+    default: '1.2.0'
+  detect-secret-additional-args:
+    description: 'Extra arguments to pass to the detect-secret binary'
+    required: false
+    default: ''
+  baseline-file:
+    description: "A path to the baseline secrets file"
+    required: false
+    default: .secrets.baseline
+  python-version:
+    description: "The version of python to use"
+    required: false
+    default: '3.10.4'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Set-up python
+      uses: actions/setup-python@v4
+      with:
+        python-version: ${{ inputs.python-version }}
+    - name: Install detect-secrets
+      shell: bash
+      run: pip install detect-secrets[gibberish]=="$DETECT_SECRET_VERSION"
+      env: 
+        DETECT_SECRET_VERSION: ${{ inputs.detect-secrets-version }}
+    - name: Check for secrets
+      shell: bash
+      run: $GITHUB_ACTION_PATH/detect-new-secrets.sh
+      env:
+        BASELINE_FILE: ${{ inputs.baseline-file }}
+        DETECT_SECRET_ADDITIONAL_ARGS: ${{ inputs.detect-secret-additional-args }}

detect-new-secrets.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+all_secrets_file=$(mktemp)
+new_secrets_file=$(mktemp)
+
+scan_new_secrets() {
+    git ls-files -z | xargs -0 detect-secrets scan $DETECT_SECRET_ADDITIONAL_ARGS --baseline "$BASELINE_FILE"
+    detect-secrets audit "$BASELINE_FILE" --report --json > "$all_secrets_file"
+    jq 'map(select(.category == "UNVERIFIED"))' "$all_secrets_file" > "$new_secrets_file"
+}
+
+markdown_from_new_secrets() {
+    secrets_table_body_with_json_chars=$(jq -r '.[] | "|\(.filename)|\(.lines | keys)|\(.types)|"' "$new_secrets_file")
+    secret_table_body=$(echo "$secrets_table_body_with_json_chars" | tr -d '"' | tr -d ']'| tr -d '[')
+
+    baseline_with_all_secrets_marked_ok=$(jq 'setpath(["results"]; (.results | map_values(. | map_values(setpath(["is_secret"]; (.is_secret // false))))))' "$BASELINE_FILE")
+
+    cat << EOF
+# Secret Scanner Report
+## Potential new secrets discovered
+|FILE|LINES|TYPES|
+|----|-----|-----|
+$secret_table_body
+
+## What you should do
+### If any of these are secrets
+Secrets pushed to GitHub are not safe to use.
+
+For the secrets you have just compromised (it is NOT sufficient to rebase to remove the commit), you should:
+* Rotate the secret
+
+### If none of these are secrets
+Replace the file \`.secrets.baseline\` with:
+
+<details>
+    <summary>Updated Secrets Baseline</summary>
+
+\`\`\`json
+$baseline_with_all_secrets_marked_ok
+\`\`\`
+</details>
+
+EOF
+}
+
+echo "::add-matcher::$GITHUB_ACTION_PATH/secret-problem-matcher.json"
+scan_new_secrets
+
+if [ "$(cat $new_secrets_file)" = "[]" ]; then
+    echo "No secrets found"
+    exit 0
+fi
+markdown_from_new_secrets | tee "$GITHUB_STEP_SUMMARY"
+exit 1

secret-problem-matcher.json

@@ -0,0 +1,15 @@
+{
+    "problemMatcher": [
+        {
+            "owner": "secret-exists",
+            "pattern": [
+                {
+                    "regexp": "^\\|([^|]+)\\|(\\d+)\\|([^|]+)\\|$",
+                    "file": 1,
+                    "line": 2,
+                    "message": 3
+                }
+            ]
+        }
+    ]
+}