feat: Add GitHub workflow template to easily enable the tool in any GitHub repository and update the existing GitLab CI template which is used to easily enable the tool in any GitLab repository to changes its path, Docker image used and variables location.

Abdullah Khawer · Abdullah Khawer · commit acf7d4ff09d2 · 2024-09-02T15:58:04.000+02:00
diff --git a/.github/workflows/.github-workflow.yml b/.github/workflows/.github-workflow.yml
@@ -0,0 +1,77 @@
+# This job finds secrets in a git repository using Gitleaks, generates a JSON report based on the findings from Gitleaks
+# by extracting only the relevant information, finds the commit id and commit author for each finding, updates an Atlassian
+# Confluence page with the secrets found based on that generated report and finally sends an alert on Slack.
+
+on:
+  workflow_call:
+    inputs:
+      CONFLUENCE_ENABLED:
+        description: "Whether to enable reporting on Atlassian Confluence or not"
+        required: true
+        type: string
+      CONFLUENCE_PAGE_TITLE:
+        description: "Atlassian Confluence page title (e.g., 'Secrets Detected in the Git Repositories')"
+        required: true
+        type: string
+      CONFLUENCE_PAGE_SPACE:
+        description: "Atlassian Confluence page space (e.g., docs)"
+        required: true
+        type: string
+      SLACK_ENABLED:
+        description: "Whether to enable notifications on Slack or not"
+        required: true
+        type: string
+    secrets:
+      CONFLUENCE_SITE:
+        description: "Atlassian Confluence host link (e.g., https://mydomain.atlassian.net)"
+        required: true
+      CONFLUENCE_USER_EMAIL_ID:
+        description: "Atlassian Confluence user email ID (e.g., myname@mydomain.com)"
+        required: true
+      CONFLUENCE_USER_TOKEN:
+        description: "Atlassian Confluence user token"
+        required: true
+      SLACK_WEBHOOK_URL:
+        description: "Slack Webhook URL (e.g., https://hooks.slack.com/services/__REDACTED__/__REDACTED__/__REDACTED__)"
+        required: true
+
+jobs:
+  find-and-report-secrets-in-code:
+    runs-on: ubuntu-latest
+    container:
+      image: abdullahkhawer/find-and-report-secrets-in-code:1.3.0
+      env:
+        CONFLUENCE_ENABLED: ${{ inputs.CONFLUENCE_ENABLED }}
+        CONFLUENCE_SITE: ${{ secrets.CONFLUENCE_SITE }}
+        CONFLUENCE_USER_EMAIL_ID: ${{ secrets.CONFLUENCE_USER_EMAIL_ID }}
+        CONFLUENCE_USER_TOKEN: ${{ secrets.CONFLUENCE_USER_TOKEN }}
+        CONFLUENCE_PAGE_TITLE: ${{ inputs.CONFLUENCE_PAGE_TITLE }}
+        CONFLUENCE_PAGE_SPACE: ${{ inputs.CONFLUENCE_PAGE_SPACE }}
+        SLACK_ENABLED: ${{ inputs.SLACK_ENABLED }}
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        REMOTE_PATH_TO_GIT_REPO: ${{ github.server_url }}/${{ github.repository }}
+        BRANCH_NAME: ${{ github.ref_name }}
+        REPO_NAME: ${{ github.repository }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          set-safe-directory: true
+      - name: Find secrets and generate custom report
+        run: |
+          export LOCAL_PATH_TO_GIT_REPO=$(pwd)
+          export PATH=$PATH:/usr/local/gitleaks
+          cd /find-and-report-secrets-in-code/
+          bash ./gitleaks.sh
+          cp ./gitleaks-report.json $LOCAL_PATH_TO_GIT_REPO/gitleaks-report.json
+      - name: Upload generated custom report as artifact
+        id: artifact-upload-step
+        uses: actions/upload-artifact@v4
+        with:
+          name: gitleaks-report.json
+          path: gitleaks-report.json
+      - name: Update Confluence page and/or send alert on Slack
+        if: ${{ inputs.SLACK_ENABLED == '1' || inputs.CONFLUENCE_ENABLED == '1' }}
+        run: |
+          cd /find-and-report-secrets-in-code/
+          python3 main.py "Europe/Amsterdam" $REPO_NAME $BRANCH_NAME ${{ steps.artifact-upload-step.outputs.artifact-url }}
diff --git a/.gitlab/.gitlab-ci.yml b/.gitlab/.gitlab-ci.yml
@@ -20,12 +20,15 @@
     SLACK_ENABLED: "0"
     # Slack Webhook URL (e.g., https://hooks.slack.com/services/__REDACTED__/__REDACTED__/__REDACTED__)
     SLACK_WEBHOOK_URL: ""
+    REMOTE_PATH_TO_GIT_REPO: "${CI_PROJECT_URL}"
+    BRANCH_NAME: "${CI_COMMIT_BRANCH}"
+    REPO_NAME: "${CI_PROJECT_PATH}"
 
 .find-secrets:scan:
   stage: scan
   extends:
     - .find-secrets:variables
-  image: abdullahkhawer/find-and-report-secrets-in-code:1.2.0
+  image: abdullahkhawer/find-and-report-secrets-in-code:1.3.0
   before_script:
     - |
       if [ -n "$CONFLUENCE_ENABLED" ] && [ "$CONFLUENCE_ENABLED" -eq 1 ]; then
@@ -64,9 +67,6 @@
     - git fetch origin $CI_COMMIT_BRANCH
   script:
     - export LOCAL_PATH_TO_GIT_REPO=$(pwd)
-    - export REMOTE_PATH_TO_GIT_REPO=$CI_PROJECT_URL
-    - export BRANCH_NAME=$CI_COMMIT_BRANCH
-    - export REPO_NAME=$CI_PROJECT_PATH
     - export PATH=$PATH:/usr/local/gitleaks
     - cd /find-and-report-secrets-in-code/
     - bash ./gitleaks.sh
diff --git a/README.md b/README.md
@@ -8,7 +8,7 @@ A security solution that finds secrets in a git repository using Gitleaks, gener
 
 ❓ Where I can run this?
 
-👉🏻 This solution can be executed on any macOS or Linux system either locally or on a remote server. It can also be executed on a CI/CD pipeline.
+This solution can be executed on any macOS or Linux system either locally or on a remote server. It can also be executed on a CI/CD tool like on GitHub Actions, GitLab CI, etc, in a pipeline.
 
 Below you can find an example of the JSON report generated:
 
@@ -139,20 +139,51 @@ And then simply run the following 2 commands:
    - Example: `python3 main.py Europe/Amsterdam my-projects/my-repo master`
    - Note: Details about supported time zones and their constant names can be found here: [pypi.org > project > pytz > Helpers](https://pypi.org/project/pytz/#:~:text=through%20multiple%20timezones.-,Helpers,-There%20are%20two)
 
-## Automatically via CI/CD Pipeline
+## Automatically via a CI/CD Pipeline
 
-### Setup Instructions
+### GitHub Actions - Setup Instructions
 
-In order to run it on any GitLab repository, add the following in the `.gitlab-ci.yml` file that is in the repository:
+In order to run it on any GitHub repository, add the following in the `.github-workflow.yml` file under the `.github/workflows/` directory in the repository:
+
+```
+name: find-and-report-secrets-in-code
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  find-and-report-secrets-in-code:
+    uses: abdullahkhawer/find-and-report-secrets-in-code/.github/workflows/.github-workflow.yml@master
+    with:
+      CONFLUENCE_ENABLED: "1"
+      CONFLUENCE_PAGE_TITLE: ${{ vars.CONFLUENCE_PAGE_TITLE }}
+      CONFLUENCE_PAGE_SPACE: ${{ vars.CONFLUENCE_PAGE_SPACE }}
+      SLACK_ENABLED: "1"
+    secrets:
+      CONFLUENCE_SITE: ${{ secrets.CONFLUENCE_SITE }}
+      CONFLUENCE_USER_EMAIL_ID: ${{ secrets.CONFLUENCE_USER_EMAIL_ID }}
+      CONFLUENCE_USER_TOKEN: ${{ secrets.CONFLUENCE_USER_TOKEN }}
+      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+```
+
+In the `on` section, you specify events can cause the workflow to run. In the above example, the job is only allowed to execute if something is pushed to the `master` branch.
+
+The variables referred using `$` are supposed to be created on the repository under `Repository secrets` and `Repository variables` depending on the type of variable from here: `Settings > Security > Secrets and variables > Actions`.
+
+### GitLab CI - Setup Instructions
+
+In order to run it on any GitLab repository, add the following in the `.gitlab-ci.yml` file on root level in the repository:
 
 ```
 include:
-  - remote: 'https://raw.githubusercontent.com/abdullahkhawer/find-and-report-secrets-in-code/master/ci/.gitlab-ci.yml'
+  - remote: 'https://raw.githubusercontent.com/abdullahkhawer/find-and-report-secrets-in-code/master/.gitlab/.gitlab-ci.yml'
 
 stages:
   - scan
 
-secrets_detection:
+find-and-report-secrets-in-code:
   stage: scan
   extends:
     - .find-secrets:scan
@@ -175,11 +206,17 @@ secrets_detection:
 
 In the `rules` section, you specify rules for execution as `if` conditions. In the above example, the job is only allowed to execute if it is a scheduled job for the `master` branch.
 
-The variables referred using `$` are supposed to be created on the repository under `CI/CD Settings` page.
+The variables referred using `$` are supposed to be created on the repository under `CI/CD Variables` from here: `Settings > CI/CD > Variables`.
+
+## Docker Image Details
+
+The Docker image used is built using the Dockerfile that is present in this repository here: [Dockerfile](https://github.com/abdullahkhawer/find-and-report-secrets-in-code/tree/master/docker)
+
+Following build command is used on the root level in the GitHub repository: `docker buildx build --platform linux/amd64 -t "abdullahkhawer/find-and-report-secrets-in-code:latest" --no-cache -f ./docker/Dockerfile .`
 
-The image used in this GitLab CI job is built using the Dockerfile that is present in this repository here: https://github.com/abdullahkhawer/find-and-report-secrets-in-code/tree/master/docker
+The image used is publicly available here: [Docker - find-and-report-secrets-in-code](https://hub.docker.com/r/abdullahkhawer/find-and-report-secrets-in-code/)
 
-The image used is publicly available here: https://hub.docker.com/r/abdullahkhawer/find-and-report-secrets-in-code/
+For more details, check out its [README](https://github.com/abdullahkhawer/find-and-report-secrets-in-code/blob/master/docker/README.md).
 
 ## Notes
 
diff --git a/docker/README.md b/docker/README.md
@@ -11,7 +11,7 @@
 
 # Supported tags and respective `Dockerfile` links
 
--	[`1.2.0`, `latest`](https://github.com/abdullahkhawer/find-and-report-secrets-in-code/blob/v1.2.0/docker/Dockerfile)
+-	[`1.3.0`, `latest`](https://github.com/abdullahkhawer/find-and-report-secrets-in-code/blob/v1.3.0/docker/Dockerfile)
 
 # Find and Report Secrets in Code
 
@@ -21,7 +21,7 @@ This repository has a Docker image that finds secrets in a git repository using
 
 ❓ Where I can run this?
 
-👉🏻 This Docker image can be executed on any Windows, macOS or Linux system either locally or on a remote server. It can also be executed on a CI/CD pipeline.
+This solution can be executed on any macOS or Linux system either locally or on a remote server. It can also be executed on a CI/CD tool like on GitHub Actions, GitLab CI, etc, in a pipeline.
 
 Below you can find an example of the JSON report generated:
 
@@ -118,20 +118,51 @@ And then simply run the following 4 commands:
    - Example: `python3 /find-and-report-secrets-in-code/main.py Europe/Amsterdam my-projects/my-repo master`
    - Note: Details about supported time zones and their constant names can be found here: [pypi.org > project > pytz > Helpers](https://pypi.org/project/pytz/#:~:text=through%20multiple%20timezones.-,Helpers,-There%20are%20two)
 
-## Automatically via CI/CD Pipeline
+## Automatically via a CI/CD Pipeline
 
-### Setup Instructions
+### GitHub Actions - Setup Instructions
 
-In order to run it on any GitLab repository, add the following in the `.gitlab-ci.yml` file that is in the repository:
+In order to run it on any GitHub repository, add the following in the `.github-workflow.yml` file under the `.github/workflows/` directory in the repository:
+
+```
+name: find-and-report-secrets-in-code
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  find-and-report-secrets-in-code:
+    uses: abdullahkhawer/find-and-report-secrets-in-code/.github/workflows/.github-workflow.yml@master
+    with:
+      CONFLUENCE_ENABLED: "1"
+      CONFLUENCE_PAGE_TITLE: ${{ vars.CONFLUENCE_PAGE_TITLE }}
+      CONFLUENCE_PAGE_SPACE: ${{ vars.CONFLUENCE_PAGE_SPACE }}
+      SLACK_ENABLED: "1"
+    secrets:
+      CONFLUENCE_SITE: ${{ secrets.CONFLUENCE_SITE }}
+      CONFLUENCE_USER_EMAIL_ID: ${{ secrets.CONFLUENCE_USER_EMAIL_ID }}
+      CONFLUENCE_USER_TOKEN: ${{ secrets.CONFLUENCE_USER_TOKEN }}
+      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+```
+
+In the `on` section, you specify events can cause the workflow to run. In the above example, the job is only allowed to execute if something is pushed to the `master` branch.
+
+The variables referred using `$` are supposed to be created on the repository under `Repository secrets` and `Repository variables` depending on the type of variable from here: `Settings > Security > Secrets and variables > Actions`.
+
+### GitLab CI - Setup Instructions
+
+In order to run it on any GitLab repository, add the following in the `.gitlab-ci.yml` file on root level in the repository:
 
 ```
 include:
-  - remote: 'https://raw.githubusercontent.com/abdullahkhawer/find-and-report-secrets-in-code/master/ci/.gitlab-ci.yml'
+  - remote: 'https://raw.githubusercontent.com/abdullahkhawer/find-and-report-secrets-in-code/master/.gitlab/.gitlab-ci.yml'
 
 stages:
   - scan
 
-secrets_detection:
+find-and-report-secrets-in-code:
   stage: scan
   extends:
     - .find-secrets:scan
@@ -154,10 +185,13 @@ secrets_detection:
 
 In the `rules` section, you specify rules for execution as `if` conditions. In the above example, the job is only allowed to execute if it is a scheduled job for the `master` branch.
 
-The variables referred using `$` are supposed to be created on the repository under `CI/CD Settings` page.
+The variables referred using `$` are supposed to be created on the repository under `CI/CD Variables` from here: `Settings > CI/CD > Variables`.
+
+## Docker Image Details
+
+The Docker image used is built using the Dockerfile that is present in this repository here: [Dockerfile](https://github.com/abdullahkhawer/find-and-report-secrets-in-code/tree/master/docker)
 
-An example of build command is below:
-`docker buildx build --platform linux/amd64 -t "abdullahkhawer/find-and-report-secrets-in-code:latest" --no-cache -f ./docker/Dockerfile .`
+Following build command is used on the root level in the GitHub repository: `docker buildx build --platform linux/amd64 -t "abdullahkhawer/find-and-report-secrets-in-code:latest" --no-cache -f ./docker/Dockerfile .`
 
 ## Notes
 
