Uses praetorian-inc/noseyparker to scan a repository for secrets.
Below are some example workflows that make use of noseyparker-action
Note: It is highly recommended to create and use a custom ruleset when integrating noseyparker into your CI/CD pipeline. Excessive noise and false positives will not help improve security! See the section below on custom rulesets.
This is the simplest workflow that will run noseyparker on each push and fail to alert if there are any findings. You can review the action output for the human readable report.
name: Noseyparker
on: push
jobs:
noseyparker:
runs-on: ubuntu-latest
name: Noseyparker Scan
steps:
- name: Checkout
uses: actions/checkout@v4
with:
path: main
- name: Nose, Parker
id: noseyparker
uses: bpsizemore/[email protected]
with:
fail-on-finding: 'true'
Use the scan-args argument to pass in any additional arguments to the scan command. You could use this alongside files within your repo to add custom rules, scan an entire github org, target a remote repository or any other functionality provided by noseyparker's scan function.
name: Noseyparker
on: push
jobs:
noseyparker:
runs-on: ubuntu-latest
name: Noseyparker Fail on Finding
steps:
- name: Checkout
uses: actions/checkout@v4
with:
path: main
- name: Nose, Parker
id: noseyparker
continue-on-error: true
uses: bpsizemore/[email protected]
with:
fail-on-finding: 'true'
scan-args: '--ruleset custom-ruleset --rules ./main/np.rules'
# Upload report to workspace artifacts
- name: Upload Report
uses: actions/upload-artifact@v4
with:
name: workspace_artifacts
path: ${{ github.workspace }}/reports/
- name: Fail on Noseyparker findings
run: if ${{ steps.noseyparker.outputs.np_status_code == 2 }}; then exit 1; fi
The example above uses a custom rules file in your repository root called np.rules. Look at sample-rule.yaml to see what a valid ruleset looks like and feel free to copy it into your repository as a starting point.
Look at the rules documentation in the noseyparker repo for more information on creating your own rules and rulesets.
In order to prevent false positives, you'll want to either create custom rules that target secrets specific to your repositories, or slowly enable rules as you resolve them to prevent a regression in the future.
local-output:
description: 'echo human-readable findings to console'
required: false
default: 'true'
report-name:
description: 'File name for the reports without the extension'
required: false
default: 'report'
report-format-human:
description: 'upload human readable (txt) formatted report'
required: false
default: 'false'
report-format-json:
description: 'upload json formatted report'
required: false
default: 'false'
report-format-jsonl:
description: 'upload jsonl formatted report'
required: false
default: 'false'
report-format-sarif:
description: 'upload sarif formatted report'
required: false
default: 'false'
scan-directory:
description: 'relative directory of the repo to scan from $GITHUB_WORKSPACE'
required: false
default: 'main'
fail-on-finding:
description: 'set to true to interrupt the pipeline if there are any findings'
required: false
default: 'false'
scan-args:
description: 'Arguments to pass to scan - this is passed after datastore and scan-directory are specified. Arguments like --github-user will override the scan directory for local scanning.'
required: false
default: ''
noseyparker-action will use exit 2 if there are findings and fail-on-finding is set to true. See the Github docs on workspace artifacts for more details on where reports are stored.
You can use the report-format-x arguments to specify what report types should be generated. It's worth noting that the report-format-human option is set to true if local-output is set to true, and the report-format-json option is set to true if the fail-on-finding option is set to true.
name: Noseyparker
on: push
jobs:
noseyparker:
runs-on: ubuntu-latest
name: Noseyparker Scan
steps:
- name: Checkout
uses: actions/checkout@v4
with:
path: main
- name: Nose, Parker
id: noseyparker
continue-on-error: true
uses: bpsizemore/[email protected]
with:
fail-on-finding: 'true'
report-format-human: 'true'
report-format-json: 'true'
report-format-jsonl: 'true'
report-format-sarif: 'true'
- name: Upload Report
uses: actions/upload-artifact@v4
with:
name: workspace_artifacts
path: ${{ github.workspace }}/reports/
- name: Fail on Noseyparker findings
run: if ${{ steps.noseyparker.outputs.np_status_code == 2 }}; then exit 1; fi
Feel free to open a PR if you would like to contribute improvements and I will review and consider using it. You can also fork this repository and make alternative public, or private, versions for use in your repo.
If you have custom rulesets or rules that you build for your own repositories, please consider contributing them back to to the official noseyparker repository.