.github/workflows/infisical-secrets-check.yml
name: Infisical secrets check
on:
workflow_dispatch:
pull_request:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
secrets-scan:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout repo
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set Infisical package source
shell: bash
run: curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo -E bash
- name: Install tools
shell: bash
run: |
sudo apt-get update && sudo apt-get install -y infisical
pip install csvkit
npm install -g csv-to-markdown-table
- name: Run scan
shell: bash
run: infisical scan --redact -f csv -r secrets-result-raw.csv 2>&1 | tee >(sed -r 's/\x1b\[[0-9;]*m//g' >secrets-result.log)
- name: Generate report
shell: bash
if: failure()
run: |
if [[ -s secrets-result-raw.csv ]]; then
csvformat -M $'\r' secrets-result-raw.csv | sed -e ':a' -e 'N;$!ba' -e 's/\n/\\n/g' | tr '\r' '\n' | head -n 11 >secrets-result.csv
csv-to-markdown-table --delim , --headers <secrets-result.csv >secrets-result.md
fi
- name: Upload artifacts secrets-result.log
uses: actions/upload-artifact@v4
if: always()
with:
name: report-log
path: secrets-result.log
- name: Upload artifacts secrets-result.csv
uses: actions/upload-artifact@v4
if: failure()
with:
name: report-csv
path: secrets-result.csv
- name: Upload artifacts secrets-result.md
uses: actions/upload-artifact@v4
if: failure()
with:
name: report-md
path: secrets-result.md
- name: Read secrets-result.log
uses: guibranco/github-file-reader-action-v2@v2.2.709
if: always()
id: log
with:
path: secrets-result.log
- name: Read secrets-result.md
uses: guibranco/github-file-reader-action-v2@v2.2.709
if: failure()
id: report
with:
path: secrets-result.md
- name: Update PR with comment
uses: mshick/add-pr-comment@v2
if: always()
with:
refresh-message-position: true
message-id: 'secrets-result'
message: |
**Infisical secrets check:** :white_check_mark: No secrets leaked!
**Scan results:**
```
${{ steps.log.outputs.contents }}
```
message-failure: |
**Infisical secrets check:** :rotating_light: Secrets leaked!
**Scan results:**
```
${{ steps.log.outputs.contents }}
```
<details>
<summary>🔎 Detected secrets in your GIT history</summary>
${{ steps.report.outputs.contents }}
</details>
message-cancelled: |
**Infisical secrets check:** :o: Secrets check cancelled!