Giters

GitGuardian / ggshield

Find and fix 400+ types of hardcoded secrets and 70+ types of infrastructure-as-code misconfigurations.

Home Page:https://gitguardian.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Scan does not fail in github action when missing credentials

gg-mmill opened this issue · comments

commented

Environment

GGShield github action from https://github.com/GitGuardian/ggcanary/blob/main/.github/workflows/main.yml

Describe the bug

When running without credentials, the job does not fail, and commits appear to be scanned (at least in the UI)

Steps to reproduce:

  1. Use given github action in a repository without any credential configured
  2. Commit on the repository

Actual result:

The commit appear to be scanned in the action:


Run GitGuardian/gg-shield/actions/secret@main
/usr/bin/docker run --name ae1c2cb4cc9bbe39f4dae4a511e_dd5f8a --label 290506 --workdir /github/workspace --rm -e "GITHUB_PUSH_BEFORE_SHA" -e "GITHUB_PUSH_BASE_SHA" -e "GITHUB_PULL_BASE_SHA" -e "GITHUB_DEFAULT_BRANCH" -e "GITGUARDIAN_API_KEY" -e "INPUT_ARGS" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/ggcanary/ggcanary":"/github/workspace" 290506:82046ae1c2cb4cc9bbe39f4dae4a511e  ""
Could not save time of version check to cache: [Errno 13] Permission denied: '/github/home/.cache'
github_push_before_sha: 
github_push_base_sha: 
github_pull_base_sha: 6e14f9de59fe05dd14b9077cc5793d5f30140ea2
github_default_branch: main
github_head_sha: 4d2d0f101b73e8f094ea39d0b5412b3620266f8a
Commits to scan: 2
status_code=401 detail=Invalid token header. No credentials provided.

Invalid token header. No credentials provided.

Invalid token header. No credentials provided.
Scanning Commits... ━━━━━━━━━━━━━━━━━━━━ 100% 2 commits scanned out of 2 0:00:00

secrets-engine-version: 2.82.0

(source: https://github.com/GitGuardian/ggcanary/actions/runs/3893827906/jobs/6649064718)

Expected result:

The check fails.

Note that:

  • this action is run on a fork of a repository with configured credential (so the credential are not passed to this action).
  • the ggshield iac scan fails as expected:
Run GitGuardian/gg-shield/actions/iac@main
/usr/bin/docker run --name ae151ee463b448eb4f198b6723ff570_e5ffb9 --label 290506 --workdir /github/workspace --rm -e "GITHUB_DEFAULT_BRANCH" -e "GITGUARDIAN_API_KEY" -e "INPUT_ARGS" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/ggcanary/ggcanary":"/github/workspace" 290506:1ae151ee463b448eb4f198b6723ff570  "./"
Could not save time of version check to cache: [Errno 13] Permission denied: '/github/home/.cache'
ignoring binary file: ./lambda/tests/data/logs_no_ggcanary.json.gz
ignoring empty file: ./lambda/requirements.txt
ignoring binary file: ./lambda/tests/data/logs_w_ggcanary.json.gz
- ./lambda.tf
- ./lambda/Pipfile.lock
- ./lambda/tests/test_notifiers.py
- ./lambda/setup.cfg
- ./lambda/entrypoint.py
- ./lambda/lambda_py/notifiers/format_utils.py
- ./lambda/tests/data/ggcanary_lambda_parameters.json
- ./examples/tf_vars/slack.tfvars.example
- ./scripts/ggcanary_call.sh
- ./lambda/lambda_py/notifiers/webhook_notifier.py
- ./README.md
- ./lambda/lambda_py/lambda_function.py
- ./trail.tf
- ./tf_backend/variables.tf
- ./lambda/Pipfile
- ./lambda/lambda_py/notifiers/__init__.py
- ./scripts/generate_hashes.py
- ./docs/deploy_user_rights.md
- ./main.tf
- ./canary_users.tf
- ./outputs.tf
- ./scripts/display_ggcanary_credentials.sh
- ./.github/workflows/main.yml
- ./docs/how_to_add_a_notifier.md
- ./lambda/tests/conftest.py
- ./backend.tf
- ./ggcanaries.auto.tfvars
- ./.env.example
- ./docs/variables_reference.md
- ./.gitignore
- ./tf_backend/main.tf
- ./lambda/lambda_py/notifiers/abstract_notifier.py
- ./lambda/tests/test_lambda.py
- ./lambda/lambda_py/notifiers/ses_notifier.py
- ./scripts/lint.sh
- ./examples/tf_vars/ses.tfvars.example
- ./lambda/lambda_py/notifiers/sendgrid_notifier.py
- ./LICENSE
- ./scripts/show_current_backend_profile.sh
- ./examples/tf_vars/multiple_notifiers.tfvars.example
- ./.pre-commit-config.yaml
- ./lambda/lambda_py/types.py
- ./scripts/list_keys.sh
- ./variables.tf
- ./lambda/lambda_py/notifiers/slack_notifier.py
- ./examples/tf_vars/sendgrid.tfvars.example
- ./lambda/Makefile
- ./ses_domain_identity.tf
- ./scripts/check_setup.sh
status_code=401 detail=Invalid token header. No credentials provided.
Usage: ggshield iac scan [OPTIONS] DIRECTORY
Try 'ggshield iac scan -h' for help.

Error: Invalid token header. No credentials provided.

(source: https://github.com/GitGuardian/ggcanary/actions/runs/3893827906/jobs/6649065077)

commented

This is fixed now.