Created
May 16, 2023 20:20
-
-
Save v1v/5e21a98dcfe0e98ae8475a665b31d059 to your computer and use it in GitHub Desktop.
Search for vault and github secrets in the given list of repositories
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# Uses gh and the given list of repositories | |
# then it clone each repository and search for all the Jenkinsfiles or GitHub actions | |
# which use Vault or GitHub secrets using some regex. | |
REPO_LIST=$1 | |
# Set GH Token | |
GITHUB_TOKEN=$(gh auth token) | |
export GH_PAGER="" | |
mkdir -p .repos | |
cd .repos | |
# Create header | |
echo "repo,jenkins-vault,action-with-vault,github-secrets,action-with-gh-secrets,jenkins-vault-secrets,vault-in-actions,gh-secrets,gh-secrets-in-actions" > report.csv | |
# Given the list of repositories | |
while read repo; do | |
echo "$repo" | |
## Download if it does not exist | |
if [ ! -d "$(basename "$repo")" ] ; then | |
if ! gh repo clone "$repo" "$(basename "$repo")" -- --branch main --single-branch --quiet --depth 1 ; then | |
gh repo clone "$repo" "$(basename "$repo")" -- --branch master --single-branch --quiet --depth 1 | |
fi | |
fi | |
pushd "$(basename "$repo")" > /dev/null || exit | |
if ! git checkout main --quiet ; then | |
git checkout master --quiet | |
fi | |
## Search for CI pipelines 'secret/' or 'totp/' | |
pipeline_secrets_file=/tmp/pipeline.secrets | |
if [ -e "${pipeline_secrets_file}" ] ; then | |
rm "${pipeline_secrets_file}" | |
fi | |
for f in "Jenkinsfile" ".ci/Jenkinsfile" ; do | |
if [ -e "$f" ] ; then | |
echo " Search vault secrets in $f" | |
grep 'secret/' "$f" >> "${pipeline_secrets_file}" | |
grep 'totp/' "$f" >> "${pipeline_secrets_file}" | |
fi | |
done | |
if [ -d .ci ] ; then | |
for f in .ci/*.groovy ; do | |
if [ -e "$f" ] ; then | |
echo " Search vault secrets in $f" | |
grep 'secret/' "$f" >> "${pipeline_secrets_file}" | |
grep 'totp/' "$f" >> "${pipeline_secrets_file}" | |
fi | |
done | |
fi | |
pipeline_found=no | |
pipeline_secrets= | |
if [ -e "${pipeline_secrets_file}" ] ; then | |
pipeline_secrets=$(sed "s#\"#'#g" "${pipeline_secrets_file}" | sed "s#.*'\(.*\)'.*#\1#" | sort | uniq | paste -s -d';' -) | |
if [ $(cat "$pipeline_secrets_file" | wc -l) -gt 0 ] ; then | |
pipeline_found=yes | |
fi | |
fi | |
## Search for GitHub actions '{{ secrets.' | |
github_found=no | |
github_vault_found=no | |
github_action_secrets= | |
github_action_vault_secrets= | |
github_action_secrets_file=/tmp/github.secrets | |
github_action_vault_secrets_file=/tmp/github.vault.secrets | |
if [ -e "${github_action_secrets_file}" ] ; then | |
rm "${github_action_secrets_file}" | |
fi | |
if [ -e "${github_action_vault_secrets_file}" ] ; then | |
rm "${github_action_vault_secrets_file}" | |
fi | |
if [ -e .github/workflows ] ; then | |
for f in $(find .github/workflows -name '*.yml'); do | |
echo " Search vault and github secrets in $f" | |
grep 'secrets\.' "$f" >> "${github_action_secrets_file}" | |
grep 'secret/' "$f" >> "${github_action_vault_secrets_file}" | |
grep 'totp/' "$f" >> "${github_action_vault_secrets_file}" | |
done | |
if [ -e "${github_action_secrets_file}" ] ; then | |
github_action_secrets=$(sed 's#.*{{\(.*\)}}.*#\1#' "${github_action_secrets_file}" | sort | uniq | paste -s -d';' -) | |
if [ $(cat "$github_action_secrets_file" | wc -l) -gt 0 ] ; then | |
github_found=yes | |
fi | |
fi | |
if [ -e "${github_action_vault_secrets_file}" ] ; then | |
github_action_vault_secrets=$(sed "s#\"#'#g" "${github_action_vault_secrets_file}" | sed "s#.*\(secret/.*\) .*#\1#" | sed "s#.*\(totp/.*\) .*#\1#" | awk '{print $1}' | sort | uniq | paste -s -d';' -) | |
if [ $(cat "$github_action_vault_secrets_file" | wc -l) -gt 0 ] ; then | |
github_vault_found=yes | |
fi | |
fi | |
fi | |
## Search for GitHub secrets | |
echo " Search GitHub secrets in the repo" | |
github_secret_found=no | |
github_secrets= | |
if [ `gh secret list | wc -l` -gt 0 ] ; then | |
github_secrets=$(GH_PAGER="" gh secret list | awk '{print $1}' | paste -s -d';' -) | |
github_secret_found=yes | |
fi | |
popd > /dev/null || exit | |
echo "$repo,$pipeline_found,$github_vault_found,$github_found,$github_secret_found,$pipeline_secrets,$github_action_vault_secrets,$github_secrets,$github_action_secrets" | tee -a report.csv | |
done < "../$REPO_LIST" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Remove some grep/sed to avoid empty secrets in the GitHub actions and detect when composite actions are used so their secrets are added: