Skip to content

Scan GCS Bucket for Secrets #27

Scan GCS Bucket for Secrets

Scan GCS Bucket for Secrets #27

name: Scan GCS Bucket for Secrets
on:
# Trigger after deployment workflow completes
workflow_run:
workflows: ["Deploy to Google Cloud Storage"]
types:
- completed
# Weekly scheduled scan - Every Sunday at midnight UTC
schedule:
- cron: '0 0 * * 0'
# Manual trigger
workflow_dispatch:
permissions: {} # No GitHub permissions needed (workflow only accesses public GCS bucket)
jobs:
scan-bucket:
name: Scan for Secrets
runs-on: ubuntu-latest
steps:
- name: Setup gcloud CLI
uses: google-github-actions/setup-gcloud@v2
- name: Download entire bucket contents (public access)
env:
GCS_BUCKET: viral-references
BOTO_CONFIG: /dev/null # Disable boto config to force anonymous access
run: |
mkdir -p /tmp/bucket-scan
echo "Downloading gs://$GCS_BUCKET/ to /tmp/bucket-scan/ (using public anonymous access)"
gsutil -m cp -r "gs://$GCS_BUCKET/*" /tmp/bucket-scan/
echo "Download complete. Scanning directory contents:"
ls -la /tmp/bucket-scan/
- name: Install gitleaks
run: |
wget -q https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz
tar -xzf gitleaks_8.21.2_linux_x64.tar.gz
sudo mv gitleaks /usr/local/bin/
gitleaks version
- name: Scan for secrets with gitleaks
run: |
echo "Scanning /tmp/bucket-scan/ for secrets..."
gitleaks detect --source /tmp/bucket-scan/ --verbose --no-git --exit-code 1