ci: add gitleaks scanning workflow and custom rules (#142)

This commit is contained in:
iyaozhen
2026-04-02 16:51:20 +08:00
committed by GitHub
parent 0f96bdf5e8
commit 112dd5f6b2
2 changed files with 44 additions and 0 deletions

28
.github/workflows/gitleaks.yml vendored Normal file
View File

@@ -0,0 +1,28 @@
name: Gitleaks
on:
pull_request:
branches: [main]
push:
branches: [main]
workflow_dispatch:
permissions:
contents: read
jobs:
gitleaks:
# Forked pull_request runs do not receive repository/org secrets except GITHUB_TOKEN.
if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
env:
# GITHUB_TOKEN is provided automatically by GitHub Actions.
# GITLEAKS_KEY must be configured as a repository secret.
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_KEY }}

16
.gitleaks.toml Normal file
View File

@@ -0,0 +1,16 @@
title = "lark-cli gitleaks config"
[extend]
useDefault = true
[[rules]]
id = "lark-bot-app-id"
description = "Detect Lark bot app ids"
regex = '''\bcli_[a-z0-9]{16}\b'''
keywords = ["cli_"]
[[rules]]
id = "lark-session-token"
description = "Detect Lark session tokens"
regex = '''\bXN0YXJ0-[A-Za-z0-9_-]+-WVuZA\b'''
keywords = ["XN0YXJ0-", "-WVuZA"]