From 133d980c12a91bcb9bb55fdfc5220472486e02c6 Mon Sep 17 00:00:00 2001
From: Frederic Mercier <f.mercier@fr.ibm.com>
Date: Tue, 27 Aug 2024 18:19:54 +0200
Subject: [PATCH] add GitHub action running detect-secrets

---
 .github/workflows/detect-secrets.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 .github/workflows/detect-secrets.yml

diff --git a/.github/workflows/detect-secrets.yml b/.github/workflows/detect-secrets.yml
new file mode 100644
index 00000000..d93a57d2
--- /dev/null
+++ b/.github/workflows/detect-secrets.yml
@@ -0,0 +1,25 @@
+name: detect secrets
+
+on: push
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "detect-secrets"
+  detect-secrets:
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+
+      # Checks-out your repository under ${{github.workspace}}, so your job can access it
+      - uses: actions/checkout@v4
+
+      - name: scan all the files (not just the ones committed), generate a report, and check that there are no actual or potential secret
+        run: |
+          docker run --pull=always -a stdout \
+          -v ${{github.workspace}}:/code \
+          --entrypoint /bin/sh \
+          icr.io/git-defenders/detect-secrets:0.13.1.ibm.61.dss-redhat-ubi \
+          -c "detect-secrets --version; 
+              detect-secrets scan --all-files --exclude-files "^.git/.*" --update .secrets.baseline; 
+              detect-secrets audit --report --fail-on-unaudited --fail-on-live --fail-on-audited-real .secrets.baseline"