2022-04-08 21:52:36 +00:00
name : 'TruffleHog OSS'
2023-12-19 19:56:55 +00:00
description : 'Scan Github Actions with TruffleHog.'
2022-04-08 21:33:55 +00:00
author : Truffle Security Co. <support@trufflesec.com>
inputs :
path :
2023-02-03 16:05:21 +00:00
description : Repository path
2023-12-19 19:56:55 +00:00
required : false
default : "./"
2022-04-08 21:33:55 +00:00
base :
description : Start scanning from here (usually main branch).
2023-01-06 00:48:07 +00:00
required : false
default : ''
2022-04-08 21:33:55 +00:00
head :
description : Scan commits until here (usually dev branch).
required : false
2022-08-01 22:05:08 +00:00
extra_args :
default : ''
description : Extra args to be passed to the trufflehog cli.
required : false
2024-02-07 22:58:04 +00:00
version :
default : 'latest'
description : Scan with this trufflehog cli version.
required : false
2022-04-08 21:33:55 +00:00
branding :
icon : "shield"
color : "green"
2023-12-19 19:56:55 +00:00
2022-04-08 21:33:55 +00:00
runs :
2023-12-19 19:56:55 +00:00
using : "composite"
steps :
- shell : bash
2024-06-07 15:21:28 +00:00
working-directory : ${{ inputs.path }}
2023-12-19 19:56:55 +00:00
env :
BASE : ${{ inputs.base }}
HEAD : ${{ inputs.head }}
ARGS : ${{ inputs.extra_args }}
2023-12-24 04:52:27 +00:00
COMMITS : ${{ toJson(github.event.commits) }}
2024-02-07 22:58:04 +00:00
VERSION : ${{ inputs.version }}
2023-12-19 19:56:55 +00:00
run : |
##########################################
## ADVANCED USAGE ##
## Scan by BASE & HEAD user inputs ##
## If BASE == HEAD, exit with error ##
##########################################
2024-07-25 17:37:13 +00:00
git status >/dev/null # make sure we are in a git repository
2023-12-19 19:56:55 +00:00
if [ -n "$BASE" ] || [ -n "$HEAD" ]; then
if [ -n "$BASE" ]; then
base_commit=$(git rev-parse "$BASE" 2>/dev/null) || true
else
base_commit=""
fi
if [ -n "$HEAD" ]; then
head_commit=$(git rev-parse "$HEAD" 2>/dev/null) || true
else
head_commit=""
fi
2024-06-07 15:21:28 +00:00
if [ "$base_commit" == "$head_commit" ] ; then
2023-12-19 19:56:55 +00:00
echo "::error::BASE and HEAD commits are the same. TruffleHog won't scan anything. Please see documentation (https://github.com/trufflesecurity/trufflehog#octocat-trufflehog-github-action)."
exit 1
fi
##########################################
## Scan commits based on event type ##
##########################################
else
if [ "${{ github.event_name }}" == "push" ]; then
2024-01-04 02:10:40 +00:00
COMMIT_LENGTH=$(printenv COMMITS | jq length)
2023-12-19 19:56:55 +00:00
if [ $COMMIT_LENGTH == "0" ]; then
echo "No commits to scan"
exit 0
fi
HEAD=${{ github.event.after }}
if [ ${{ github.event.before }} == "0000000000000000000000000000000000000000" ]; then
BASE=$(git rev-parse $HEAD~$COMMIT_LENGTH)
else
BASE=${{ github.event.before }}
fi
elif [ "${{ github.event_name }}" == "workflow_dispatch" ] || [ "${{ github.event_name }}" == "schedule" ]; then
BASE=""
HEAD=""
elif [ "${{ github.event_name }}" == "pull_request" ]; then
BASE=${{github.event.pull_request.base.sha}}
HEAD=${{github.event.pull_request.head.sha}}
fi
fi
##########################################
## Run TruffleHog ##
2024-02-07 22:58:04 +00:00
##########################################
2024-06-07 15:21:28 +00:00
docker run --rm -v .:/tmp -w /tmp \
2024-02-07 22:58:04 +00:00
ghcr.io/trufflesecurity/trufflehog:${VERSION} \
2023-12-19 19:56:55 +00:00
git file:///tmp/ \
--since-commit \
${BASE:-''} \
--branch \
${HEAD:-''} \
--fail \
--no -update \
--github-actions \
${ARGS:-''}