33 lines
1.1 KiB
YAML
33 lines
1.1 KiB
YAML
|
name: GitGuardian scan
|
||
|
|
|
||
|
|
on: [push]
|
||
|
|
|
||
|
|
permissions:
|
||
|
|
contents: read # GitGuardian only needs to read.
|
||
|
|
|
||
|
|
jobs:
|
||
|
|
scanning:
|
||
|
|
name: GitGuardian scan
|
||
|
|
runs-on: ubuntu-latest
|
||
|
|
concurrency:
|
||
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
||
|
|
cancel-in-progress: true
|
||
|
|
steps:
|
||
|
|
- name: Harden Runner
|
||
|
|
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
|
||
|
|
with:
|
||
|
|
egress-policy: audit
|
||
|
|
|
||
|
|
- name: Checkout
|
||
|
|
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||
|
|
with:
|
||
|
|
fetch-depth: 0 # fetch all history so multiple commits can be scanned
|
||
|
|
- name: GitGuardian scan
|
||
|
|
uses: GitGuardian/ggshield-action@9074c0893e8ee86ccd6418177a0eb3e5aa02262a # master
|
||
|
|
env:
|
||
|
|
GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
|
||
|
|
GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
|
||
|
|
GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
|
||
|
|
GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
|
||
|
|
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
|