ENG-171 Run GitGuardian in CI as part of Unified CI in Integrations

If you add the GitGuardian app globally to the org, it only scans code when a PR is opened. This doesn't protect us against the case where someone just creates a branch with plaintext credentials, *but doesn't create a PR*. Adding GitGuardian scans as a GitHub action with a "on push" trigger will make GitGuardian scan all code that appears in the repo, rather than just code which is part of a PR. To make this work, you will need to add GITGUARDIAN_API_KEY GitHub secret in each repository. Organization-wide GitHub secrets apply only on private repositories, so to cover all repos reliably you'll need to create a regular per-repo secret, not an org-wide one.
vuestorefront · Nov 15, 2023 · 33226da · 33226da
1 parent 8130a3b
commit 33226da
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
@@ -24,6 +24,28 @@ env:
   GCP_PROJECT_NAME: sf-artifacts-prod
 
 jobs:
+  name: GitGuardian scan
+
+on: [push, pull_request]
+
+jobs:
+  scanning:
+    name: GitGuardian scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0 # fetch all history so multiple commits can be scanned
+      - name: GitGuardian scan
+        uses: GitGuardian/[email protected]
+        env:
+          GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
+          GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
+          GITHUB_PULL_BASE_SHA:  ${{ github.event.pull_request.base.sha }}
+          GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
+
   run-ci:
     name: Run CI
     runs-on: ubuntu-latest