Use RUNNER_TEMP for gitleaks and add flags

PrimeBuild-pc · PrimeBuild-pc · commit 28066620723b · 2026-04-15T23:47:18.000+02:00
Download and extract gitleaks into a temporary RUNNER_TEMP directory ($toolDir) and remove any existing copy before extraction. Adjust Expand-Archive/tar commands to use $toolDir and resolve the executable from that path. Add a step to remove vendored tool docs from the scan scope to avoid known false positives. Run gitleaks with --no-git and --exit-code 1 so the scan targets the working tree and fails the job on findings.
diff --git a/.github/workflows/ci-devsecops.yml b/.github/workflows/ci-devsecops.yml
@@ -68,19 +68,29 @@ jobs:
           $baseUrl = "https://github.com/gitleaks/gitleaks/releases/download/v$version"
           $zipAsset = "gitleaks_${version}_windows_x64.zip"
           $tarAsset = "gitleaks_${version}_windows_x64.tar.gz"
+          $toolDir = Join-Path $env:RUNNER_TEMP "gitleaks-bin"
+
+          if (Test-Path $toolDir) {
+            Remove-Item -Path $toolDir -Recurse -Force
+          }
 
           try {
             Invoke-WebRequest -Uri "$baseUrl/$zipAsset" -OutFile "gitleaks.zip"
-            Expand-Archive -Path "gitleaks.zip" -DestinationPath ".\\gitleaks-bin" -Force
+            Expand-Archive -Path "gitleaks.zip" -DestinationPath $toolDir -Force
           }
           catch {
             Invoke-WebRequest -Uri "$baseUrl/$tarAsset" -OutFile "gitleaks.tar.gz"
-            New-Item -ItemType Directory -Force -Path ".\\gitleaks-bin" | Out-Null
-            tar -xzf "gitleaks.tar.gz" -C ".\\gitleaks-bin"
+            New-Item -ItemType Directory -Force -Path $toolDir | Out-Null
+            tar -xzf "gitleaks.tar.gz" -C $toolDir
+          }
+
+          # Remove vendored tool docs from scan scope to avoid known upstream sample false positives.
+          if (Test-Path ".\\gitleaks-bin") {
+            Remove-Item -Path ".\\gitleaks-bin" -Recurse -Force
           }
 
-          $gitleaksExe = Resolve-Path ".\\gitleaks-bin\\gitleaks.exe"
-          & $gitleaksExe detect --source "." --redact --verbose --report-format json --report-path gitleaks-report.json
+          $gitleaksExe = Resolve-Path (Join-Path $toolDir "gitleaks.exe")
+          & $gitleaksExe detect --source "." --no-git --exit-code 1 --redact --verbose --report-format json --report-path gitleaks-report.json
 
       - name: Upload security artifacts
         if: always()
