secrets-scan.yml

Author: aravindbuilt

.github/workflows/secrets-scan.yml

@@ -0,0 +1,54 @@
+name: Secrets Scan
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+jobs:
+  security-secrets:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Install Expect, jq and Python
+        run: sudo apt-get install -y expect jq python3 python3-pip  wkhtmltopdf
+
+      - name: Install Python packages
+        run: pip install pandas json2html tabulate
+
+      - name: Install Talisman
+        run: |
+          curl --silent https://raw.githubusercontent.com/thoughtworks/talisman/v1.32.0/install.sh > install.bash
+          chmod +x install.bash
+          ./install.bash
+
+      - name: Run Talisman
+        id: run_talisman
+        run: /usr/local/bin/talisman --scan
+        continue-on-error: true
+
+      - name: Convert JSON to HTML
+        run: |
+          python3 -c "
+          import json
+          import os
+          from json2html import *
+          with open('talisman_report/talisman_reports/data/report.json') as f:
+              data = json.load(f)
+          html = json2html.convert(json = data)
+          os.makedirs('talisman_html_report', exist_ok=True)
+          with open('talisman_html_report/report.html', 'w') as f:
+              f.write(html)
+          " && wkhtmltopdf talisman_html_report/report.html talisman_report.pdf
+
+      - name: Upload Report
+        id: upload_report
+        uses: actions/upload-artifact@v4
+        with:
+          name: talisman-report-pdf
+          path: talisman_report.pdf
+
+      - name: Check the status of talisman scan
+        run: |
+          # if [[ ${{ steps.run_talisman.outcome }} == "success" ]]; then exit 0; else echo "Download the Talisman scan report from Artifact: ${{ steps.upload_report.outputs.artifact-url }}" && exit 1; fi
+          echo "Download the Talisman scan report from Artifact: ${{ steps.upload_report.outputs.artifact-url }}";