|
| 1 | +name: TruffleHog Secrets Scan |
| 2 | +on: |
| 3 | + push: |
| 4 | + branches: |
| 5 | + - master |
| 6 | + pull_request: |
| 7 | + branches: |
| 8 | + - master |
| 9 | + schedule: |
| 10 | + - cron: '0 4 * * *' |
| 11 | + |
| 12 | +permissions: |
| 13 | + contents: read |
| 14 | + |
| 15 | +jobs: |
| 16 | + TruffleHog: |
| 17 | + runs-on: ubuntu-latest |
| 18 | + |
| 19 | + steps: |
| 20 | + - name: Checkout code |
| 21 | + uses: actions/checkout@v3 |
| 22 | + with: |
| 23 | + fetch-depth: 0 |
| 24 | + |
| 25 | + # Special check which ensures that the clone performed above is not shallow. We need the |
| 26 | + # complete git history for scanning to work correctly in all the situations. In some cases |
| 27 | + # if a shallow clone is used, trufflehog won't not fail with an error, but it would simply |
| 28 | + # not detect any files and that could be dangerous. |
| 29 | + - name: Shallow repo check |
| 30 | + run: | |
| 31 | + if git rev-parse --is-shallow-repository | grep -q "true"; then |
| 32 | + echo "Encountered a shallow repository, trufflehog may not work as expected!" |
| 33 | + exit 1 |
| 34 | + fi |
| 35 | +
|
| 36 | + - name: scan-pr |
| 37 | + uses: trufflesecurity/trufflehog@main |
| 38 | + if: ${{ github.event_name == 'pull_request' }} |
| 39 | + with: |
| 40 | + path: ./ |
| 41 | + base: ${{ github.event.repository.default_branch }} |
| 42 | + head: HEAD |
| 43 | + extra_args: --debug --only-verified |
| 44 | + |
| 45 | + - name: scan-push |
| 46 | + uses: trufflesecurity/trufflehog@main |
| 47 | + if: ${{ github.event_name == 'push' }} |
| 48 | + with: |
| 49 | + path: ./ |
| 50 | + base: "" |
| 51 | + head: ${{ github.ref_name }} |
| 52 | + extra_args: --debug --only-verified |
| 53 | + |
| 54 | + # As part of cron trigger we scan the whole repo directory. |
| 55 | + # NOTE: Since trufflehog GHA is meant to be used in context of push / pr it can't be |
| 56 | + # used dorectly to scan the whole repo directory. This may take a while, but it's good idea |
| 57 | + # to run it on a daily basis. |
| 58 | + - name: scan-cron |
| 59 | + if: ${{ github.event_name == 'schedule' }} |
| 60 | + run: | |
| 61 | + docker run --rm -v "$PWD:/workdir" trufflesecurity/trufflehog:latest git \ |
| 62 | + file:///workdir --fail --no-update --debug --only-verified |
| 63 | +
|
| 64 | + - name: Notify Slack on Failure |
| 65 | + if: ${{ failure() && github.ref_name == 'master' }} |
| 66 | + uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 |
| 67 | + env: |
| 68 | + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} |
| 69 | + with: |
| 70 | + status: ${{ job.status }} |
| 71 | + steps: ${{ toJson(steps) }} |
| 72 | + channel: '#eng-dataset-o11y' |
0 commit comments