feat: implement gitleaks reviewdog action (#2)

.github/workflows/test.yml

@@ -6,7 +6,7 @@ on:
   pull_request:
 jobs:
   test-check:
-    name: runner / <linter-name> (github-check)
+    name: runner / gitleaks (github-check)
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -15,11 +15,10 @@ jobs:
           github_token: ${{ secrets.github_token }}
           reporter: github-check
           level: info
-          locale: "US"
 
   test-pr-check:
     if: github.event_name == 'pull_request'
-    name: runner / <linter-name> (github-pr-check)
+    name: runner / gitleaks (github-pr-check)
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -28,19 +27,26 @@ jobs:
           github_token: ${{ secrets.github_token }}
           reporter: github-pr-check
           level: warning
-          locale: "US"
-          workdir: ./testdata/subdir/
+          workdir: ./testdata/
 
   test-pr-review:
     if: github.event_name == 'pull_request'
-    name: runner / <linter-name> (github-pr-review)
+    name: runner / gitleaks (github-pr-review)
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
       - uses: ./
+        id: github-pr-review
         with:
           github_token: ${{ secrets.github_token }}
           reporter: github-pr-review
           level: error
-          locale: "US"
           reviewdog_flags: -filter-mode=file -fail-on-error
+        continue-on-error: true
+      - name: Check that failed
+        shell: bash
+        run: |
+          if ! [[ ${{ steps.github-pr-review.outcome }} == 'failure' ]]; then
+            echo "Previous step should have failed!!"
+            exit 1
+          fi

Dockerfile

@@ -1,16 +1,24 @@
 FROM alpine:3.18
 
 ENV REVIEWDOG_VERSION=v0.14.1
+ENV GITLEAKS_VERSION=8.17.0
 
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 
-# hadolint ignore=DL3006
-RUN apk --no-cache add git
+# hadolint ignore=DL3018
+RUN apk --no-cache add git jq
 
-RUN wget -O - -q https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh| sh -s -- -b /usr/local/bin/ ${REVIEWDOG_VERSION}
+RUN wget -O - -q https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh \
+    | sh -s -- -b /usr/local/bin/ ${REVIEWDOG_VERSION}
 
-# TODO: Install a linter and/or change docker image as you need.
-RUN wget -O - -q https://git.io/misspell | sh -s -- -b /usr/local/bin/
+RUN mkdir -p /opt/gitleaks
+
+RUN wget -O - -q "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
+    | tar -xvz -C /opt/gitleaks
+
+RUN ln -s /opt/gitleaks/gitleaks /usr/local/bin/gitleaks
+
+COPY gitleaks-to-rdjson.jq /gitleaks-to-rdjson.jq
 
 COPY entrypoint.sh /entrypoint.sh
 

README.md

@@ -1,29 +1,20 @@
-# action-template
-
-<!-- TODO: replace reviewdog/action-template with your repo name -->
-[![Test](https://github.com/reviewdog/action-template/workflows/Test/badge.svg)](https://github.com/reviewdog/action-template/actions?query=workflow%3ATest)
-[![reviewdog](https://github.com/reviewdog/action-template/workflows/reviewdog/badge.svg)](https://github.com/reviewdog/action-template/actions?query=workflow%3Areviewdog)
-[![depup](https://github.com/reviewdog/action-template/workflows/depup/badge.svg)](https://github.com/reviewdog/action-template/actions?query=workflow%3Adepup)
-[![release](https://github.com/reviewdog/action-template/workflows/release/badge.svg)](https://github.com/reviewdog/action-template/actions?query=workflow%3Arelease)
-[![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/reviewdog/action-template?logo=github&sort=semver)](https://github.com/reviewdog/action-template/releases)
-[![action-bumpr supported](https://img.shields.io/badge/bumpr-supported-ff69b4?logo=github&link=https://github.com/haya14busa/action-bumpr)](https://github.com/haya14busa/action-bumpr)
-
-![github-pr-review demo](https://user-images.githubusercontent.com/3797062/73162963-4b8e2b00-4132-11ea-9a3f-f9c6f624c79f.png)
-![github-pr-check demo](https://user-images.githubusercontent.com/3797062/73163032-70829e00-4132-11ea-8481-f213a37db354.png)
+# action-gitleaks
 
-This is a template repository for [reviewdog](https://github.com/reviewdog/reviewdog) action with release automation.
-Click `Use this template` button to create your reviewdog action :dog:!
+[![Test](https://github.com/reviewdog/action-gitleaks/workflows/Test/badge.svg)](https://github.com/reviewdog/action-gitleaks/actions?query=workflow%3ATest)
+[![reviewdog](https://github.com/reviewdog/action-gitleaks/workflows/reviewdog/badge.svg)](https://github.com/reviewdog/action-gitleaks/actions?query=workflow%3Areviewdog)
+[![depup](https://github.com/reviewdog/action-gitleaks/workflows/depup/badge.svg)](https://github.com/reviewdog/action-gitleaks/actions?query=workflow%3Adepup)
+[![release](https://github.com/reviewdog/action-gitleaks/workflows/release/badge.svg)](https://github.com/reviewdog/action-gitleaks/actions?query=workflow%3Arelease)
+[![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/reviewdog/action-gitleaks?logo=github&sort=semver)](https://github.com/reviewdog/action-gitleaks/releases)
+[![action-bumpr supported](https://img.shields.io/badge/bumpr-supported-ff69b4?logo=github&link=https://github.com/haya14busa/action-bumpr)](https://github.com/haya14busa/action-bumpr)
 
-If you want to create your own reviewdog action from scratch without using this
-template, please check and copy release automation flow.
-It's important to manage release workflow and sync reviewdog version for all
-reviewdog actions.
+<!--![github-pr-review demo](https://user-images.githubusercontent.com/3797062/73162963-4b8e2b00-4132-11ea-9a3f-f9c6f624c79f.png)-->
+<!--![github-pr-check demo](https://user-images.githubusercontent.com/3797062/73163032-70829e00-4132-11ea-8481-f213a37db354.png)-->
 
-This repo contains a sample action to run [misspell](https://github.com/client9/misspell).
+This action runs [gitleaks](https://github.com/gitleaks/gitleaks) with
+[reviewdog](https://github.com/reviewdog/reviewdog) on pull requests to improve code review experience.
 
 ## Input
 
-<!-- TODO: update -->
 ```yaml
 inputs:
   github_token:
@@ -37,7 +28,7 @@ inputs:
     description: 'Report level for reviewdog [info,warning,error]'
     default: 'error'
   reporter:
-    description: 'Reporter of reviewdog command [github-pr-check,github-check,github-pr-review].'
+    description: 'Reporter of reviewdog command [github-pr-check,github-pr-review].'
     default: 'github-pr-check'
   filter_mode:
     description: |
@@ -52,26 +43,24 @@ inputs:
   reviewdog_flags:
     description: 'Additional reviewdog flags'
     default: ''
-  ### Flags for <linter-name> ###
-  locale:
-    description: '-locale flag of misspell. (US/UK)'
+  ### Flags for gitleaks ###
+  gitleaks_flags:
+    description: "flags and args of gitleaks command. Default: ''"
     default: ''
 ```
 
 ## Usage
-<!-- TODO: update. replace `template` with the linter name -->
 
 ```yaml
 name: reviewdog
 on: [pull_request]
 jobs:
-  # TODO: change `linter_name`.
-  linter_name:
-    name: runner / <linter-name>
+  gitleaks:
+    name: runner / gitleaks
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - uses: reviewdog/action-template@v1
+      - uses: reviewdog/action-gitleaks@v1
         with:
           github_token: ${{ secrets.github_token }}
           # Change reviewdog reporter if you need [github-pr-check,github-check,github-pr-review].
@@ -96,7 +85,7 @@ ref: https://help.github.com/en/articles/about-actions#versioning-your-action
 
 ### Lint - reviewdog integration
 
-This reviewdog action template itself is integrated with reviewdog to run lints
+This reviewdog action itself is integrated with reviewdog to run lints
 which is useful for Docker container based actions.
 
 ![reviewdog integration](https://user-images.githubusercontent.com/3797062/72735107-7fbb9600-3bde-11ea-8087-12af76e7ee6f.png)
@@ -106,9 +95,10 @@ Supported linters:
 - [reviewdog/action-shellcheck](https://github.com/reviewdog/action-shellcheck)
 - [reviewdog/action-hadolint](https://github.com/reviewdog/action-hadolint)
 - [reviewdog/action-misspell](https://github.com/reviewdog/action-misspell)
+- [reviewdog/action-alex](https://github.com/reviewdog/action-alex)
 
 ### Dependencies Update Automation
 This repository uses [reviewdog/action-depup](https://github.com/reviewdog/action-depup) to update
 reviewdog version.
 
-[![reviewdog depup demo](https://user-images.githubusercontent.com/3797062/73154254-170e7500-411a-11ea-8211-912e9de7c936.png)](https://github.com/reviewdog/action-template/pull/6)
+[![reviewdog depup demo](https://user-images.githubusercontent.com/3797062/73154254-170e7500-411a-11ea-8211-912e9de7c936.png)](https://github.com/reviewdog/action-gitleaks/pull/6)

action.yml

@@ -1,6 +1,6 @@
-name: 'TODO: Run <linter-name> with reviewdog'
-description: 'TODO: 🐶 Run <linter-name> with reviewdog on pull requests to improve code review experience.'
-author: 'TODO: <your-name>'
+name: 'Run gitleaks with reviewdog'
+description: '🐶 Run gitleaks with reviewdog on pull requests to improve code review experience.'
+author: 'tvcsantos'
 inputs:
   github_token:
     description: 'GITHUB_TOKEN'
@@ -28,16 +28,15 @@ inputs:
   reviewdog_flags:
     description: 'Additional reviewdog flags'
     default: ''
-  ### Flags for <linter-name> ###
-  locale:
-    description: '-locale flag of misspell. (US/UK)'
+  ### Flags for gitleaks ###
+  gitleaks_flags:
+    description: "flags and args of gitleaks command. Default: ''"
     default: ''
 runs:
   using: 'docker'
   image: 'Dockerfile'
 
 # Ref: https://haya14busa.github.io/github-action-brandings/
-# TODO: update branding if you want.
 branding:
-  icon: 'check'
+  icon: 'shield'
   color: 'blue'

entrypoint.sh

@@ -8,11 +8,17 @@ fi
 
 export REVIEWDOG_GITHUB_API_TOKEN="${INPUT_GITHUB_TOKEN}"
 
-misspell -locale="${INPUT_LOCALE}" . \
-  | reviewdog -efm="%f:%l:%c: %m" \
-      -name="linter-name (misspell)" \
-      -reporter="${INPUT_REPORTER:-github-pr-check}" \
-      -filter-mode="${INPUT_FILTER_MODE}" \
-      -fail-on-error="${INPUT_FAIL_ON_ERROR}" \
-      -level="${INPUT_LEVEL}" \
-      ${INPUT_REVIEWDOG_FLAGS}
+TEMP_FILE="$(mktemp)"
+
+# shellcheck disable=SC2086
+gitleaks detect -r "$TEMP_FILE" -f json ${INPUT_GITLEAKS_FLAGS} || true
+
+# shellcheck disable=SC2086
+jq -f /gitleaks-to-rdjson.jq -c "$TEMP_FILE" \
+  | reviewdog -f="rdjson" \
+    -name="gitleaks" \
+    -reporter="${INPUT_REPORTER:-github-pr-check}" \
+    -filter-mode="${INPUT_FILTER_MODE}" \
+    -fail-on-error="${INPUT_FAIL_ON_ERROR}" \
+    -level="${INPUT_LEVEL}" \
+    ${INPUT_REVIEWDOG_FLAGS}

gitleaks-to-rdjson.jq

@@ -0,0 +1,27 @@
+# Convert gitleaks JSON output to Reviewdog Diagnostic Format (rdjson)
+# https://github.com/reviewdog/reviewdog/blob/f577bd4b56e5973796eb375b4205e89bce214bd9/proto/rdf/reviewdog.proto
+{
+  source: {
+    name: "gitleaks",
+    url: "https://github.com/gitleaks/gitleaks"
+  },
+  diagnostics: . | map({
+    message: .Description,
+    code: {
+      value: .RuleID
+    } ,
+    location: {
+      path: .File,
+      range: {
+        start: {
+          line: .StartLine,
+          column: .StartColumn
+        },
+        end: {
+          line: .EndLine,
+          column: .EndColumn
+        }
+      }
+    }
+  })
+}

testdata/api.go

@@ -0,0 +1,24 @@
+package main
+
+import "fmt"
+
+func main() {
+
+	var a = "initial"
+	fmt.Println(a)
+
+	var b, c int = 1, 2
+	fmt.Println(b, c)
+
+	var d = true
+	fmt.Println(d)
+
+	var e int
+	fmt.Println(e)
+
+	// opps I added a secret at line 20
+	awsToken := "AKIALALEMEL33243OLIA"
+
+	f := "apple"
+	fmt.Println(f)
+}