数据标注工具
blame | 历史 | 原始文档
Bin
2025-12-17 05a69820e0c402b0b33c063d3b922f0a0571cbbb 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

name: "Gitleaks"


 


on:


  workflow_call:


    inputs:


      head_sha:


        required: true


        type: string


      base_sha:


        required: true


        type: string


      version:


        required: false


        type: string


        default: "latest"


 


env:


  ACTIONS_STEP_DEBUG: '${{ secrets.ACTIONS_STEP_DEBUG }}'


 


 


jobs:


  gitleaks:


    name: "Gitleaks"


    runs-on: ubuntu-latest


    steps:


      - uses: hmarr/debug-action@v3.0.0


 


      - name: install


        shell: bash


        run: |


          set -euo pipefail


          arch="$(uname)_$(uname -m)"


          platform=$(echo $arch | tr '[:upper:]' '[:lower:]' )


          echo "PLATFORM=$platform" >> $GITHUB_ENV


          if [[ "${{ inputs.version }}" == "latest" ]]; then


            echo "GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | jq -r .tag_name | sed 's/^v//')" >> $GITHUB_ENV


          else


            echo "GITLEAKS_VERSION=${{ inputs.version }}" >> $GITHUB_ENV


          fi


 


      - name: Cache gitleaks archive


        id: cache_gitleaks


        uses: actions/cache@v5


        with:


          path: /usr/local/bin/gitleaks


          key: gitleaks-${{ env.PLATFORM }}-${{ env.GITLEAKS_VERSION }}


 


      - name: Download and configure gitleaks


        shell: bash


        run: |


          set -euo pipefail


          if [[ "${{ steps.cache_gitleaks.outputs.cache-hit }}" != "true" ]]; then


            DOWNLOAD_URL="https://github.com/gitleaks/gitleaks/releases/download/v${{ env.GITLEAKS_VERSION }}/gitleaks_${{ env.GITLEAKS_VERSION }}_linux_x64.tar.gz"


            echo "Download Gitleaks ${{ env.GITLEAKS_VERSION }} for ${{ env.PLATFORM }} from ${DOWNLOAD_URL}"


            curl -fsSL "$DOWNLOAD_URL" | tar xzf - -C /usr/local/bin


          fi


          chmod +x /usr/local/bin/gitleaks


 


      - name: Checkout


        uses: actions/checkout@v6


        with:


          fetch-depth: 2147483647


          ref: ${{ inputs.head_sha }}


 


      - name: Run gitleaks


        run: |


          set -euo pipefail ${ACTIONS_STEP_DEBUG:+-x}


 


          gitleaks \


            detect \


            --source="." \


            --redact \


            -v \


            --exit-code=2 \


            --report-format=sarif \


            --report-path=results.sarif \


            --log-level=debug \


            --log-opts='${{ inputs.base_sha }}..${{ inputs.head_sha }}'


 


      - name: Upload test results


        if: failure()


        uses: actions/upload-artifact@v6


        with:


          name: GitLeaks results


          path: results.sarif