ci: Public repo secret scanner (#704)

--------- Co-authored-by: Guillaume Mulocher <gmulocher@arista.com>
aristanetworks · Jun 12, 2024 · 33bc7d2 · 33bc7d2
1 parent 0202460
commit 33bc7d2
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml
@@ -10,6 +10,21 @@ jobs:
   scan_secret:
     name: Scan incoming changes
     runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/aristanetworks/secret-scanner-service:main
+      options: --name sss-scanner
     steps:
+      - name: Checkout ${{ github.ref }}
+        # Hitting https://github.com/actions/checkout/issues/334 so trying v1
+        uses: actions/checkout@v1
+        with:
+          fetch-depth: 0
       - name: Run scanner
-        uses: aristanetworks/secret-scanner-service@main
+        run: |
+          git config --global --add safe.directory $GITHUB_WORKSPACE
+          scanner commit . github ${{ github.repository }} \
+             --markdown-file job_summary.md \
+             ${{ github.event_name == 'pull_request' && format('--since-commit {0}', github.event.pull_request.base.sha) || ''}}
+      - name: Write result to summary
+        run: cat ./job_summary.md >> $GITHUB_STEP_SUMMARY
+        if: ${{ always() }}