2026-04-15 20:56:01 +00:00
|
|
|
# .woodpecker/secret-scan.yml — Block PRs that leak plaintext secrets
|
|
|
|
|
#
|
|
|
|
|
# Triggers on pull requests touching secret-adjacent paths.
|
|
|
|
|
# Sources lib/secret-scan.sh and scans each changed file's content.
|
|
|
|
|
# Exits non-zero if any potential secret is detected.
|
|
|
|
|
|
|
|
|
|
when:
|
|
|
|
|
- event: pull_request
|
|
|
|
|
path:
|
|
|
|
|
- ".env*"
|
|
|
|
|
- "tools/vault-*.sh"
|
|
|
|
|
- "nomad/**/*"
|
|
|
|
|
- "vault/**/*"
|
|
|
|
|
- "action-vault/**/*"
|
|
|
|
|
- "lib/hvault.sh"
|
|
|
|
|
- "lib/action-vault.sh"
|
|
|
|
|
|
|
|
|
|
clone:
|
|
|
|
|
git:
|
|
|
|
|
image: alpine/git
|
|
|
|
|
commands:
|
|
|
|
|
- AUTH_URL=$(printf '%s' "$CI_REPO_CLONE_URL" | sed "s|://|://token:$FORGE_TOKEN@|")
|
|
|
|
|
- git clone --depth 50 "$AUTH_URL" .
|
|
|
|
|
- git fetch --depth 50 origin "$CI_COMMIT_REF" "$CI_COMMIT_TARGET_BRANCH"
|
|
|
|
|
- git checkout FETCH_HEAD
|
|
|
|
|
|
|
|
|
|
steps:
|
|
|
|
|
- name: secret-scan
|
|
|
|
|
image: alpine:3
|
|
|
|
|
commands:
|
2026-04-15 21:03:05 +00:00
|
|
|
- apk add --no-cache bash git grep file
|
2026-04-15 20:56:01 +00:00
|
|
|
- bash .woodpecker/run-secret-scan.sh
|
