Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions .github/workflows/scan-for-secrets.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: Scan for Secrets

on:
pull_request: {}
merge_group:
types: [checks_requested]
workflow_dispatch: {}

jobs:
scan_for_secrets:
name: public
runs-on: ubuntu-latest
permissions:
contents: read
# Skip Dependabot PRs and auto-pass in merge queue (base branch already scanned)
if: |
github.actor != 'dependabot[bot]' &&
github.actor != 'github-actions[bot]'
steps:
- name: Establish event metadata
id: establish_metadata
shell: bash
env:
EVENT_NAME: ${{ github.event_name }}
PR_COMMITS: ${{ github.event.pull_request.commits }}
PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
run: |
if [[ "$EVENT_NAME" == "pull_request" ]]; then
echo "fetch_depth=$(($PR_COMMITS + 2))" >> $GITHUB_OUTPUT
echo "branch=$PR_HEAD_REF" >> $GITHUB_OUTPUT
fi

Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
- name: Auto-pass in merge queue
if: github.event_name == 'merge_group'
run: echo 'Auto-passing in merge queue'

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
if: github.event_name == 'pull_request'
with:
ref: ${{ steps.establish_metadata.outputs.branch }}
fetch-depth: ${{ steps.establish_metadata.outputs.fetch_depth }}

- name: Scan for secrets
if: github.event_name == 'pull_request'
uses: trufflesecurity/trufflehog@939f053fc5cc13136efeb9e4d505051455d135dd
with:
extra_args: --only-verified
48 changes: 48 additions & 0 deletions .github/workflows/semgrep.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
name: Semgrep OSS

on:
pull_request: {}
workflow_dispatch: {}
merge_group:
types: [checks_requested]
schedule:
# Full scan of main every Monday at 06:17 UTC.
Comment thread
mantej marked this conversation as resolved.
# Randomized time to avoid GHA load spikes.
- cron: '17 6 * * 1'

jobs:
semgrep:
name: public
runs-on: ubuntu-latest
container:
image: semgrep/semgrep:1.161.0@sha256:326e5f41cc972bb423b764a14febbb62bbad29ee1c01820805d077dd868fea48
permissions:
contents: read
security-events: write # Required for SARIF upload to GitHub Code Scanning
actions: read
# Skip Dependabot PRs and merge group events (diff scan not useful pre-merge)
if: |
github.actor != 'dependabot[bot]' &&
github.actor != 'github-actions[bot]' &&
github.event_name != 'merge_group'
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Run Semgrep OSS (diff-aware)
# PR scan: diff-aware via semgrep ci, only surfaces new findings against the merge base.
# No SEMGREP_APP_TOKEN = fully local mode; no data leaves the runner.
if: github.event_name == 'pull_request'
run: semgrep ci --sarif --output=semgrep.sarif --config=auto
continue-on-error: true

- name: Run Semgrep OSS (full scan)
# Scheduled/manual scan: full repo scan via semgrep scan.
if: github.event_name != 'pull_request'
run: semgrep scan --sarif --output=semgrep.sarif --config=auto
continue-on-error: true

- name: Upload findings to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
with:
sarif_file: semgrep.sarif
category: semgrep-oss
27 changes: 27 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# security-workflows-public

Public AppSec tooling from Gemini's security engineering team, adapted for use in open source projects.

## What's Here

This repository contains security workflows, scanners, and automation tools for securing Gemini's open source projects.

## Workflows

### Semgrep OSS
[`.github/workflows/semgrep.yml`](.github/workflows/semgrep.yml)

Runs [Semgrep](https://semgrep.dev) static analysis on pull requests and on a weekly schedule. Uses community rulesets (`p/default`, `p/security-audit`, `p/owasp-top-ten`) with no Semgrep account or token required. Findings are uploaded to GitHub Code Scanning.

### Scan for Secrets
[`.github/workflows/scan-for-secrets.yml`](.github/workflows/scan-for-secrets.yml)

Scans pull requests for verified secrets using [TruffleHog](https://github.com/trufflesecurity/trufflehog). Only reports verified findings to minimize noise. No token or license required.

## Contributing

This repository is maintained by Gemini's AppSec team. External contributions and feedback are welcome via GitHub Issues.

## License

See [LICENSE](LICENSE) for details.
Loading