Scan GCS Bucket for Secrets #26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scan GCS Bucket for Secrets | |
| on: | |
| # Trigger after deployment workflow completes | |
| workflow_run: | |
| workflows: ["Deploy to Google Cloud Storage"] | |
| types: | |
| - completed | |
| # Weekly scheduled scan - Every Sunday at midnight UTC | |
| schedule: | |
| - cron: '0 0 * * 0' | |
| # Manual trigger | |
| workflow_dispatch: | |
| permissions: {} # No GitHub permissions needed (workflow only accesses public GCS bucket) | |
| jobs: | |
| scan-bucket: | |
| name: Scan for Secrets | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Setup gcloud CLI | |
| uses: google-github-actions/setup-gcloud@v2 | |
| - name: Download entire bucket contents (public access) | |
| env: | |
| GCS_BUCKET: viral-references | |
| BOTO_CONFIG: /dev/null # Disable boto config to force anonymous access | |
| run: | | |
| mkdir -p /tmp/bucket-scan | |
| echo "Downloading gs://$GCS_BUCKET/ to /tmp/bucket-scan/ (using public anonymous access)" | |
| gsutil -m cp -r "gs://$GCS_BUCKET/*" /tmp/bucket-scan/ | |
| echo "Download complete. Scanning directory contents:" | |
| ls -la /tmp/bucket-scan/ | |
| - name: Install gitleaks | |
| run: | | |
| wget -q https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz | |
| tar -xzf gitleaks_8.21.2_linux_x64.tar.gz | |
| sudo mv gitleaks /usr/local/bin/ | |
| gitleaks version | |
| - name: Scan for secrets with gitleaks | |
| run: | | |
| echo "Scanning /tmp/bucket-scan/ for secrets..." | |
| gitleaks detect --source /tmp/bucket-scan/ --verbose --no-git --exit-code 1 |