@@ -85,102 +85,38 @@ jobs:
8585 echo "Changed files in this PR:"
8686 cat changed-files.txt || echo "No files changed"
8787
88- name : Scan for secrets using TruffleHog (git history, filesystem, changed files)
88+ name : Scan for secrets using TruffleHog
8989 id : scan
90- env :
91- SCAN_TYPE : ${{ inputs.scan-type }}
92- SCAN_SCOPE : ${{ inputs.scan-scope }}
93- EVENT_NAME : ${{ github.event_name }}
9490 run : |
9591 set +e
9692
97- # Initialize result files
98- echo "[]" > all-results.json
99-
100- echo "Starting TruffleHog scan with scope: ${SCAN_SCOPE}, type: ${SCAN_TYPE}..."
101-
102- # Full repository scanning
103- if [[ "${SCAN_SCOPE}" == "full-repo" || "${SCAN_SCOPE}" == "both" ]]; then
104- echo "Running full repository scan..."
105-
106- if [[ "${SCAN_TYPE}" == "commits" || "${SCAN_TYPE}" == "both" ]]; then
107- echo "Scanning git commit history..."
108- trufflehog git file://. \
109- --json \
110- --no-update \
111- --results=verified,unverified,unknown \
112- --max-depth=10 \
113- --exclude-globs="*.lock,*.sum,node_modules/**,*.git/**" \
114- > commit-results.json || true
115- fi
116-
117- if [[ "${SCAN_TYPE}" == "filesystem" || "${SCAN_TYPE}" == "both" ]]; then
118- echo "Scanning current filesystem..."
119- trufflehog filesystem . \
120- --json \
121- --no-update \
122- --results=verified,unverified,unknown \
123- > fs-results.json || true
124- fi
125- fi
126-
127- # Changed files scanning (PR only)
128- if [[ "${EVENT_NAME}" == "pull_request" ]]; then
129- if [[ "${SCAN_SCOPE}" == "changed-files" || "${SCAN_SCOPE}" == "both" ]]; then
130- if [[ -s "changed-files.txt" ]]; then
131- echo "Scanning changed files..."
132- echo "[]" > changed-files-results.json
133- while IFS= read -r file; do
134- if [[ -f "${file}" ]]; then
135- echo "Scanning: ${file}"
136- if trufflehog filesystem "${file}" \
137- --json \
138- --no-update \
139- --results=verified,unverified,unknown \
140- | jq -s 'add' changed-files-results.json - > tmp.json; then
141- mv tmp.json changed-files-results.json
142- fi
143- fi
144- done < changed-files.txt
145- else
146- echo "No changed files to scan"
147- fi
148- fi
149- fi
150-
151- # Merge all results
152- touch all-results.ndjson
153- for f in commit-results.json fs-results.json changed-files-results.json; do
154- if [[ -s "${f}" ]]; then
155- cat "${f}" >> all-results.ndjson
156- fi
157- done
158-
159- # Convert NDJSON to JSON array for processing
160- if [[ -s all-results.ndjson ]]; then
161- # Filter out empty lines and invalid JSON before processing
162- grep -v '^$' all-results.ndjson | jq -s '.' > all-results.json 2>/dev/null || echo "[]" > all-results.json
163- else
164- echo "[]" > all-results.json
165- fi
93+ # Simple, aggressive scan - no filtering, no complexity
94+ echo "Running TruffleHog filesystem scan..."
95+ trufflehog filesystem . --json --no-update > scan-results.json || true
16696
167- # Validate JSON and count results with error handling
168- if jq empty all-results.json 2>/dev/null; then
97+ # Count results
98+ if [[ -s scan-results.json ]]; then
99+ # Convert NDJSON to array and count
100+ jq -s '.' scan-results.json > all-results.json 2>/dev/null || echo "[]" > all-results.json
169101 VERIFIED=$(jq '[.[] | select(.Verified==true)] | length' all-results.json 2>/dev/null || echo "0")
170102 UNVERIFIED=$(jq '[.[] | select(.Verified==false)] | length' all-results.json 2>/dev/null || echo "0")
171103 else
172- echo "Invalid JSON in all-results.json, resetting to empty array"
173104 echo "[]" > all-results.json
174105 VERIFIED=0
175106 UNVERIFIED=0
176107 fi
108+
177109 TOTAL=$((VERIFIED+UNVERIFIED))
178110
179111 echo "Scan Summary:"
180112 echo "Verified secrets: ${VERIFIED}"
181113 echo "Unverified secrets: ${UNVERIFIED}"
182114 echo "Total findings: ${TOTAL}"
183115
116+ # Show raw results for debugging
117+ echo "Raw scan results:"
118+ cat scan-results.json || echo "No raw results"
119+
184120 {
185121 echo "verified=${VERIFIED}"
186122 echo "unverified=${UNVERIFIED}"
0 commit comments