Merge pull request #1 from brightwheel/add-secrets-scanning-workflow

ezrapagel · web-flow · commit 85366a209240 · 2026-01-27T19:50:58.000Z
[chore] add secrets scanning workflow latest
diff --git a/.appsec/.gitleaksignore b/.appsec/.gitleaksignore
@@ -0,0 +1,3 @@
+# .gitleaksignore - fingerprint-based ignore file for secrets scanning
+# Format: commit:file:rule:line
+# Add fingerprints from scan results to ignore specific findings
diff --git a/.appsec/gitleaks.toml b/.appsec/gitleaks.toml
@@ -0,0 +1,32 @@
+# gitleaks configuration for aws-lambda-redshift-loader secrets scanning
+# extends base config from scanner container at /etc/appsec/scanner/gitleaks-base.toml
+#
+# add repo-specific allowlists below to handle false positives unique to this repo.
+# for common patterns across all repos, update the base config in appsec-tooling instead.
+
+title = "aws-lambda-redshift-loader secrets scan"
+
+[extend]
+path = "/etc/appsec/scanner/gitleaks-base.toml"
+
+# uncomment and add repo-specific patterns as needed:
+#
+# [[allowlists]]
+# description = "test fixtures and example code"
+# paths = [
+#   '''test/fixtures/.*''',
+#   '''examples/.*''',
+# ]
+#
+# [[allowlists]]
+# description = "exact string matches to ignore"
+# stopwords = [
+#   "EXAMPLE_API_KEY_NOT_REAL",
+# ]
+#
+# [[allowlists]]
+# description = "regex patterns to ignore"
+# regexTarget = "match"
+# regexes = [
+#   '''pk_test_[a-zA-Z0-9]+''',  # stripe test keys
+# ]
diff --git a/.github/workflows/secrets-scan.yaml b/.github/workflows/secrets-scan.yaml
@@ -0,0 +1,31 @@
+# GitHub Actions workflow that calls the brightwheel appsec-tooling reusable workflow for secrets
+# scanning on protected branches.
+#
+# DEPENDENCIES:
+#
+#  * Organization-level Variable (Settings → Secrets and variables → Actions → Variables):
+#    - APPSEC_SCANNER_PULL_ROLE_ARN: AWS IAM role ARN for ECR scanner image access via OIDC
+
+name: Secrets Scan
+
+on:
+  # Automatic scanning on every push to PR branches
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    branches:
+      - master
+  # Manual trigger
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: "PR number to scan (optional)"
+        required: false
+      ref:
+        description: "Branch/ref to scan (optional, defaults to current)"
+        required: false
+
+jobs:
+  scan:
+    if: ${{ !github.event.pull_request.draft || github.event_name == 'workflow_dispatch' }}
+    uses: brightwheel/appsec-tooling/.github/workflows/reusable-secrets-scan.yaml@main
+    secrets: inherit

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# .gitleaksignore - fingerprint-based ignore file for secrets scanning`
	`2`	`+# Format: commit:file:rule:line`
	`3`	`+# Add fingerprints from scan results to ignore specific findings`