ci: add git secrets scanning to CI (runfinch#879)

austinvazquez · web-flow · commit 05f35c100cd1 · 2024-04-01T09:49:46.000-07:00
Issue #, if available:
Contributors can accidentally secrets to version control.

*Description of changes:*
This change adds git secrets scanning to CI to validate secrets are not
submitted to version control.

*Testing done:*
CI is successful

- [x] I've reviewed the guidance in CONTRIBUTING.md

#### License Acceptance

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

Signed-off-by: Austin Vazquez &lt;macedonv@amazon.com&gt;
diff --git a/.github/workflows/ci-docs.yaml b/.github/workflows/ci-docs.yaml
@@ -25,6 +25,25 @@ on:
       - '.github/CODEOWNERS'
 
 jobs:
+  git-secrets:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Pull latest awslabs/git-secrets repo
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+           repository: awslabs/git-secrets
+           ref: 1.3.0
+           fetch-tags: true
+           path: git-secrets
+      - name: Install git secrets from source
+        run: sudo make install
+        working-directory: git-secrets
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - name: Scan repository for git secrets
+        run: |
+          git secrets --register-aws
+          git secrets --scan-history
+
   gen-code-no-diff:
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -28,6 +28,25 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  git-secrets:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Pull latest awslabs/git-secrets repo
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+           repository: awslabs/git-secrets
+           ref: 1.3.0
+           fetch-tags: true
+           path: git-secrets
+      - name: Install git secrets from source
+        run: sudo make install
+        working-directory: git-secrets
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - name: Scan repository for git secrets
+        run: |
+          git secrets --register-aws
+          git secrets --scan-history
+
   gen-code-no-diff:
     strategy:
       matrix:
