add GitHub action running detect-secrets

Frederic Mercier · Frederic Mercier · commit 133d980c12a9 · 2024-08-27T18:19:54.000+02:00
diff --git a/.github/workflows/detect-secrets.yml b/.github/workflows/detect-secrets.yml
@@ -0,0 +1,25 @@
+name: detect secrets
+
+on: push
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "detect-secrets"
+  detect-secrets:
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+
+      # Checks-out your repository under ${{github.workspace}}, so your job can access it
+      - uses: actions/checkout@v4
+
+      - name: scan all the files (not just the ones committed), generate a report, and check that there are no actual or potential secret
+        run: |
+          docker run --pull=always -a stdout \
+          -v ${{github.workspace}}:/code \
+          --entrypoint /bin/sh \
+          icr.io/git-defenders/detect-secrets:0.13.1.ibm.61.dss-redhat-ubi \
+          -c "detect-secrets --version; 
+              detect-secrets scan --all-files --exclude-files "^.git/.*" --update .secrets.baseline; 
+              detect-secrets audit --report --fail-on-unaudited --fail-on-live --fail-on-audited-real .secrets.baseline" 
