oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: improve git diff detection in security scanning workflow
All checks were successful
Security Scanning / security-scan (push) Successful in 24s
Details

Browse Source 
Changed from `git show` to `git diff HEAD^ HEAD` for more reliable detection of changed files in push/PR events. Also increased clone depth from 1 to 2 and added explicit fetch/checkout of the target ref to ensure HEAD^ is available for comparison.
This commit is contained in:
aitbc
2026-04-19 20:33:31 +02:00
parent 9cdb541609
commit 23b57c4eca
1 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
.gitea/workflows/security-scanning.yml
View File

@@ -30,7 +30,10 @@ jobs:
rm -rf "$WORKSPACE" rm -rf "$WORKSPACE"
mkdir -p "$WORKSPACE" mkdir -p "$WORKSPACE"
cd "$WORKSPACE" cd "$WORKSPACE"
git clone --depth 1 http://gitea.bubuit.net:3000/oib/aitbc.git repo git clone --depth 2 http://gitea.bubuit.net:3000/oib/aitbc.git repo
cd repo
git fetch --depth 2 origin "${{ github.ref }}"
git checkout --detach FETCH_HEAD
- name: Setup tools - name: Setup tools
run: | run: |
@@ -63,7 +66,7 @@ jobs:
--severity-level medium \ --severity-level medium \
-f txt -q -f txt -q
else else
mapfile -t python_files < <(git show --name-only --pretty="" --diff-filter=ACMR HEAD | grep -E '^((apps|cli)/.*|packages/py/.*)\.py$' || true) mapfile -t python_files < <(git diff --name-only --diff-filter=ACMR HEAD^ HEAD | grep -E '^((apps|cli)/.*|packages/py/.*)\.py$' || true)
if [[ ${#python_files[@]} -eq 0 ]]; then if [[ ${#python_files[@]} -eq 0 ]]; then
echo "✅ No changed Python files to scan" echo "✅ No changed Python files to scan"
@@ -91,7 +94,7 @@ jobs:
grep -RInE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true grep -RInE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true
grep -RInE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true grep -RInE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true
else else
mapfile -t changed_files < <(git show --name-only --pretty="" --diff-filter=ACMR HEAD | grep -E '^((apps|cli)/.*|packages/.*)$' || true) mapfile -t changed_files < <(git diff --name-only --diff-filter=ACMR HEAD^ HEAD | grep -E '^((apps|cli)/.*|packages/.*)$' || true)
if [[ ${#changed_files[@]} -eq 0 ]]; then if [[ ${#changed_files[@]} -eq 0 ]]; then
echo "✅ No changed files to scan for secrets" echo "✅ No changed files to scan for secrets"