Skip to content

Phase 6: Add security analysis with GitGuardian, Snyk, and SonarCloud #2

Phase 6: Add security analysis with GitGuardian, Snyk, and SonarCloud

Phase 6: Add security analysis with GitGuardian, Snyk, and SonarCloud #2

Workflow file for this run

# Licensed to the Apache Software Foundation (ASF) under one or more

Check failure on line 1 in .github/workflows/gitguardian.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/gitguardian.yml

Invalid workflow file

(Line: 32, Col: 9): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.GITGUARDIAN_API_KEY != ''
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: GitGuardian Secrets Scan
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
permissions:
contents: read
jobs:
scanning:
name: GitGuardian Scan
runs-on: ubuntu-latest
# Only run if GITGUARDIAN_API_KEY is set (optional - GitGuardian app integration is primary method)
if: ${{ secrets.GITGUARDIAN_API_KEY != '' }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for better secret detection
- name: GitGuardian Scan
uses: GitGuardian/ggshield-action@v1
env:
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}