[CI] issue: 4705805 Add secret scan step

Make Secrets Scanner run as a step in CI

Signed-off-by: Noam Tsemah <[email protected]>

Author: ntsemah

.ci/matrix_job.yaml

@@ -55,6 +55,7 @@ runs_on_dockers:
   - {name: 'toolbox', url: 'harbor.mellanox.com/hpcx/x86_64/rhel8.6/builder:inbox', category: 'tool', arch: 'x86_64'}
   - {name: 'blackduck', file: '.ci/dockerfiles/Dockerfile.rhel8.6', category: 'tool', arch: 'x86_64', tag: '20250630', uri: 'vma/$arch/$name/bduck', build_args: '--no-cache --target bduck'}
   - {name: 'header-check', url: 'harbor.mellanox.com/toolbox/header_check:0.0.58', category: 'tool', arch: 'x86_64', tag: '0.0.58'}
+  - {name: 'secret-scan', url: 'harbor.mellanox.com/toolbox/secret_scan:0.0.23', arch: 'x86_64', tag: '0.0.23', category: 'tool', build_args: '--no-cache'}
 
 runs_on_agents:
   - {nodeLabel: 'beni09', category: 'base'}
@@ -99,19 +100,31 @@ steps:
     archiveArtifacts: '*.log,*.tar.gz'
     parallel: false
 
+  - name: Secret Scan
+    credentialsId: 'mellanox_github_credentials'
+    enable: ${do_secretscan}
+    containerSelector:
+      - "{name: 'secret-scan', category: 'tool'}"
+    agentSelector:
+      - "{nodeLabel: 'skip-agent'}"
+    run: |
+      env GITHUB_TOKEN=$MELLANOX_GH_TOKEN /opt/nvidia/secret_scan.py --path $WORKSPACE --git-repo $WORKSPACE --report-file secret_scan.html
+    archiveArtifacts: '*.html'
+    parallel: false
+
   - name: Install Doca-host
     containerSelector:
       - "{category: 'base'}"
     agentSelector:
       - "{nodeLabel: 'skip-agent'}"
     run: |
       echo "Installing DOCA: ${DOCA_VERSION} ..."
-      .ci/scripts/doca_install.sh 
+      .ci/scripts/doca_install.sh
 
   - name: Install Doca-host on Tools
     run: |
       echo "Installing DOCA: ${DOCA_VERSION} ..."
-      .ci/scripts/doca_install.sh 
+      .ci/scripts/doca_install.sh
     containerSelector:
       - "{name: 'style', category: 'tool'}"
     agentSelector:
@@ -126,7 +139,7 @@ steps:
     enable: ${do_build}
     run: |
       [ "x${do_build}" == "xtrue" ] && action=yes || action=no
-      env WORKSPACE=$PWD TARGET=${flags} jenkins_test_build=${action} ./contrib/test_jenkins.sh 
+      env WORKSPACE=$PWD TARGET=${flags} jenkins_test_build=${action} ./contrib/test_jenkins.sh
     parallel: false
     onfail: |
       ./.ci/artifacts.sh
@@ -321,7 +334,7 @@ steps:
         .ci/blackduck_source.sh
       fi
     archiveArtifacts: 'logs/'
-    credentialsId: 
+    credentialsId:
       - "swx-jenkins2-svc-gerrit-ssh-key"
       - "blackduck_api_token"
 

.ci/proj_jjb.yaml

@@ -100,12 +100,16 @@
             description: "Collect artifacts."
         - bool:
             name: "do_blackduck"
-            default: false 
+            default: false
             description: "Run BlackDuck."
         - bool:
             name: "do_copyrights"
             default: true
             description: "Check copyrights in source headers"
+        - bool:
+            name: "do_secretscan"
+            default: true
+            description: "Check for secrets in source code"
     triggers:
         - github-pull-request:
             cron: 'H/5 * * * *'