name: "Gitleaks" on: workflow_call: inputs: head_sha: required: true type: string base_sha: required: true type: string version: required: false type: string default: "latest" env: ACTIONS_STEP_DEBUG: '${{ secrets.ACTIONS_STEP_DEBUG }}' jobs: gitleaks: name: "Gitleaks" runs-on: ubuntu-latest steps: - uses: hmarr/debug-action@v3.0.0 - name: install shell: bash run: | set -euo pipefail arch="$(uname)_$(uname -m)" platform=$(echo $arch | tr '[:upper:]' '[:lower:]' ) echo "PLATFORM=$platform" >> $GITHUB_ENV if [[ "${{ inputs.version }}" == "latest" ]]; then echo "GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | jq -r .tag_name | sed 's/^v//')" >> $GITHUB_ENV else echo "GITLEAKS_VERSION=${{ inputs.version }}" >> $GITHUB_ENV fi - name: Cache gitleaks archive id: cache_gitleaks uses: actions/cache@v5 with: path: /usr/local/bin/gitleaks key: gitleaks-${{ env.PLATFORM }}-${{ env.GITLEAKS_VERSION }} - name: Download and configure gitleaks shell: bash run: | set -euo pipefail if [[ "${{ steps.cache_gitleaks.outputs.cache-hit }}" != "true" ]]; then DOWNLOAD_URL="https://github.com/gitleaks/gitleaks/releases/download/v${{ env.GITLEAKS_VERSION }}/gitleaks_${{ env.GITLEAKS_VERSION }}_linux_x64.tar.gz" echo "Download Gitleaks ${{ env.GITLEAKS_VERSION }} for ${{ env.PLATFORM }} from ${DOWNLOAD_URL}" curl -fsSL "$DOWNLOAD_URL" | tar xzf - -C /usr/local/bin fi chmod +x /usr/local/bin/gitleaks - name: Checkout uses: actions/checkout@v6 with: fetch-depth: 2147483647 ref: ${{ inputs.head_sha }} - name: Run gitleaks run: | set -euo pipefail ${ACTIONS_STEP_DEBUG:+-x} gitleaks \ detect \ --source="." \ --redact \ -v \ --exit-code=2 \ --report-format=sarif \ --report-path=results.sarif \ --log-level=debug \ --log-opts='${{ inputs.base_sha }}..${{ inputs.head_sha }}' - name: Upload test results if: failure() uses: actions/upload-artifact@v6 with: name: GitLeaks results path: results.sarif