vaultsovereign/vm-ops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden CI scan output

Browse Source
This commit is contained in:
vaultsovereign
2025-12-17 15:27:57 +00:00
parent f3bef9dfb1
commit 58c7ffaad0
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.gitlab-ci.yml
View File

@@ -10,12 +10,15 @@ verify:no_secrets:
- | - |
set +e set +e
secret_re='(BEGIN (RSA|OPENSSH|EC) PRIVATE KEY|-----BEGIN PGP PRIVATE KEY BLOCK-----|aws_secret_access_key|AKIA[0-9A-Z]{16}|xox[baprs]-[0-9A-Za-z-]{10,}|ghp_[A-Za-z0-9]{36}|glpat-[A-Za-z0-9_-]{20,})' secret_re='(BEGIN (RSA|OPENSSH|EC) PRIVATE KEY|-----BEGIN PGP PRIVATE KEY BLOCK-----|aws_secret_access_key|AKIA[0-9A-Z]{16}|xox[baprs]-[0-9A-Za-z-]{10,}|ghp_[A-Za-z0-9]{36}|glpat-[A-Za-z0-9_-]{20,})'
git grep -nE "$secret_re" -- . matches="$(git grep -lE "$secret_re" -- .)"
status=$? status=$?
set -e set -e
if [ "$status" -eq 0 ]; then if [ "$status" -eq 0 ]; then
echo "❌ Potential secret detected. Remove it or encrypt it into vault/." echo "❌ Potential secret detected in:"
echo "$matches"
echo
echo "Remove it or encrypt it into vault/."
exit 1 exit 1
elif [ "$status" -ne 1 ]; then elif [ "$status" -ne 1 ]; then
echo "❌ Secret scan failed (git grep exit $status)." echo "❌ Secret scan failed (git grep exit $status)."