Add GitLeaks to CI/CD Pipeline (#1066)

* add if * update pipeline * remove push * set permissions
cisagov · Apr 30, 2024 · 65ee0a1 · 65ee0a1
1 parent fced5af
commit 65ee0a1
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 8 deletions.
diff --git a/.github/workflows/run_pipeline.yaml b/.github/workflows/run_pipeline.yaml
@@ -11,21 +11,19 @@ on:
 jobs:
   lint-yaml:
     name: Lint
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     uses: ./.github/workflows/lint_yaml.yaml
   lint-powershell:
     name: Lint
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     uses: ./.github/workflows/lint_powershell.yaml
+  scan-secret:
+    name: Security
+    uses: ./.github/workflows/run_secret_scan.yaml
   syntax:
     name: Syntax
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     uses: ./.github/workflows/syntax_check_markdown.yaml
   unit-powershell:
     name: Unit
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     uses: ./.github/workflows/unit_test_powershell.yaml
   unit-opa:
     name: Unit
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     uses: ./.github/workflows/unit_test_opa.yaml
diff --git a/.github/workflows/run_secret_scan.yaml b/.github/workflows/run_secret_scan.yaml
@@ -1,17 +1,17 @@
 # Purpose: Run a secret scanner against the repo.
 
-name: Run Secret Scan
+name: Scan for Secrets
 
 on:
-  push:
-  pull_request:
   workflow_call:
   workflow_dispatch:
 
 jobs:
   secret-scan:
     name: MegaLint Gitleaks
     runs-on: ubuntu-latest
+    # This condition prevents duplicate runs.
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     defaults:
       run:
         shell: bash

diff --git a/.github/workflows/unit_test_powershell.yaml b/.github/workflows/unit_test_powershell.yaml
@@ -7,6 +7,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   powershell-tests:
     name: PowerShell Unit Tests