From dda93d7b53cf0516d521053b888fae98bf51f6c4 Mon Sep 17 00:00:00 2001
From: Frederic Mercier <frederic.mercier@gmx.net>
Date: Tue, 27 Aug 2024 14:56:41 +0200
Subject: [PATCH] Detect secrets GitHub action (#194)

* detect-secrets github action

* update .secrets.baseline with secrets from ldap-custom-ssl-secret.yaml and openldap-customldif.yaml

* run the github action on push only (not pull_request)

---------

Co-authored-by: Frederic Mercier <f.mercier@fr.ibm.com>
---
 .github/workflows/detect-secrets.yml | 25 +++++++++++++++++
 .secrets.baseline                    | 40 ++++++++++++++++++++++++++--
 2 files changed, 63 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/detect-secrets.yml

diff --git a/.github/workflows/detect-secrets.yml b/.github/workflows/detect-secrets.yml
new file mode 100644
index 00000000..d93a57d2
--- /dev/null
+++ b/.github/workflows/detect-secrets.yml
@@ -0,0 +1,25 @@
+name: detect secrets
+
+on: push
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "detect-secrets"
+  detect-secrets:
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+
+      # Checks-out your repository under ${{github.workspace}}, so your job can access it
+      - uses: actions/checkout@v4
+
+      - name: scan all the files (not just the ones committed), generate a report, and check that there are no actual or potential secret
+        run: |
+          docker run --pull=always -a stdout \
+          -v ${{github.workspace}}:/code \
+          --entrypoint /bin/sh \
+          icr.io/git-defenders/detect-secrets:0.13.1.ibm.61.dss-redhat-ubi \
+          -c "detect-secrets --version; 
+              detect-secrets scan --all-files --exclude-files "^.git/.*" --update .secrets.baseline; 
+              detect-secrets audit --report --fail-on-unaudited --fail-on-live --fail-on-audited-real .secrets.baseline" 
diff --git a/.secrets.baseline b/.secrets.baseline
index 4905011d..89b88ecf 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -1,9 +1,9 @@
 {
   "exclude": {
-    "files": "openldap-customldif.yaml|ldap-custom-ssl-secret.yaml|^.secrets.baseline$",
+    "files": "^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-08-09T09:14:16Z",
+  "generated_at": "2024-08-27T06:40:44Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -307,6 +307,42 @@
         "verified_result": null
       }
     ],
+    "authentication/Keycloak/openldap/ldap-custom-ssl-secret.yaml": [
+      {
+        "hashed_secret": "470bf8b666f65eb413930e55a2153b2e6d6334b0",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 8,
+        "type": "Base64 High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "641ad3b66231e0f477088e711306cd1fdf1e5626",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 11,
+        "type": "Base64 High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "03b4a6482aeaf6e6aa3c2639db6e1c9b728e7b49",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 13,
+        "type": "Base64 High Entropy String",
+        "verified_result": null
+      }
+    ],
+    "authentication/Keycloak/openldap/openldap-customldif.yaml": [
+      {
+        "hashed_secret": "3e6e3eece5e10a4c903489f501c049b2c54094c4",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 8,
+        "type": "Base64 High Entropy String",
+        "verified_result": null
+      }
+    ],
     "authentication/Keycloak/openldap/openldap-secret.yaml": [
       {
         "hashed_secret": "e6c016ec485da2332894dc2ec7a6dc51274329ca",