From 5087b89858240f8c2f74d7f47396d148fff8350d Mon Sep 17 00:00:00 2001
From: root <root@bulwark.spectrocloud.dev>
Date: Tue, 14 Mar 2023 07:01:26 +0000
Subject: [PATCH] bulwark gitleaks - pr validation action

---
 .../bulwark-gitleaks-pr-validation.yaml       | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 .github/workflows/bulwark-gitleaks-pr-validation.yaml

diff --git a/.github/workflows/bulwark-gitleaks-pr-validation.yaml b/.github/workflows/bulwark-gitleaks-pr-validation.yaml
new file mode 100644
index 0000000..bc8b8a0
--- /dev/null
+++ b/.github/workflows/bulwark-gitleaks-pr-validation.yaml
@@ -0,0 +1,36 @@
+name: BulwarkGitLeaks
+on: [pull_request]
+
+concurrency:
+  group: gitleaks-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  gitleaks-scan:
+    runs-on: ubuntu-latest
+    container:
+      image: gcr.io/spectro-dev-public/bulwark/gitleaks:latest
+      env:
+        REPO: ${{ github.event.repository.name }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITLEAKS_CONFIG: config.toml
+    steps:
+
+      - name: run-bulwark-gitleaks-scan
+        shell: sh
+        env:
+          BRANCH: ${{ github.head_ref || github.ref_name }}
+        run: /workspace/bulwark -name CodeSASTGitLeaks -target $REPO -tags "branch:$BRANCH,options:--log-opts origin..HEAD"
+
+      - name: check-result
+        shell: sh
+        run: |
+          resultPath=./$REPO/gitleaks.json
+          cat $resultPath | grep -v \"Match\"\: | grep -v \"Secret\"\:
+          total_failed_tests=`cat $resultPath | grep \"Fingerprint\"\: | wc -l`
+          if [ "$total_failed_tests" -gt 0 ]; then
+            echo "GitLeaks validation check failed with above findings..."
+            exit 1
+          else 
+            echo "GitLeaks validation check passed"
+          fi
\ No newline at end of file