trufflehog/action.yml

name: 'TruffleHog OSS'
description: 'Scan Github Actions with TruffleHog.'
author: Truffle Security Co. <support@trufflesec.com>

inputs:
  path:
    description: Repository path
    required: false
    default: "./"
  base:
    description: Start scanning from here (usually main branch).
    required: false
    default: ''
  head:
    description: Scan commits until here (usually dev branch).
    required: false
  extra_args:
    default: ''
    description: Extra args to be passed to the trufflehog cli.
    required: false
  version:
    default: 'latest'
    description: Scan with this trufflehog cli version.
    required: false
branding:
  icon: "shield"
  color: "green"

runs:
  using: "composite"
  steps:
  - shell: bash
    env:
      REPO_PATH: ${{ inputs.path }}
      BASE: ${{ inputs.base }}
      HEAD: ${{ inputs.head }}
      ARGS: ${{ inputs.extra_args }}
      COMMITS: ${{ toJson(github.event.commits) }}
      VERSION: ${{ inputs.version }}
    run: |
      ##########################################
      ## ADVANCED USAGE                       ##
      ## Scan by BASE & HEAD user inputs      ##
      ## If BASE == HEAD, exit with error     ##
      ##########################################
      if [ -n "$BASE" ] || [ -n "$HEAD" ]; then
        if [ -n "$BASE" ]; then
          base_commit=$(git rev-parse "$BASE" 2>/dev/null) || true
        else
          base_commit=""
        fi
        if [ -n "$HEAD" ]; then
          head_commit=$(git rev-parse "$HEAD" 2>/dev/null) || true
        else
          head_commit=""
        fi
        if [ $base_commit == $head_commit ] ; then
          echo "::error::BASE and HEAD commits are the same. TruffleHog won't scan anything. Please see documentation (https://github.com/trufflesecurity/trufflehog#octocat-trufflehog-github-action)."
          exit 1
        fi
      ##########################################
      ## Scan commits based on event type     ##
      ##########################################
      else
        if [ "${{ github.event_name }}" == "push" ]; then
          COMMIT_LENGTH=$(printenv COMMITS | jq length)
          if [ $COMMIT_LENGTH == "0" ]; then
            echo "No commits to scan"
            exit 0
          fi
          HEAD=${{ github.event.after }}
          if [ ${{ github.event.before }} == "0000000000000000000000000000000000000000" ]; then
            BASE=$(git rev-parse $HEAD~$COMMIT_LENGTH)
          else
            BASE=${{ github.event.before }}
          fi
        elif [ "${{ github.event_name }}" == "workflow_dispatch" ] || [ "${{ github.event_name }}" == "schedule" ]; then
          BASE=""
          HEAD=""
        elif [ "${{ github.event_name }}" == "pull_request" ]; then
          BASE=${{github.event.pull_request.base.sha}}
          HEAD=${{github.event.pull_request.head.sha}}
        fi
      fi
      ##########################################
      ##          Run TruffleHog              ##
      ##########################################
      docker run --rm -v "$REPO_PATH":/tmp -w /tmp \
      ghcr.io/trufflesecurity/trufflehog:${VERSION} \
      git file:///tmp/ \
      --since-commit \
      ${BASE:-''} \
      --branch \
      ${HEAD:-''} \
      --fail \
      --no-update \
      --github-actions \
      ${ARGS:-''}
update action name 2022-04-08 21:52:36 +00:00			`name: 'TruffleHog OSS'`
shallow cloning + GitHub Action (#2138) * proposed shallow cloning gh action * removing unnecessary steps * adding back in git checkout * removed git cloning + added backward compatibility 2023-12-19 19:56:55 +00:00			`description: 'Scan Github Actions with TruffleHog.'`
Add github action (#295) 2022-04-08 21:33:55 +00:00			`author: Truffle Security Co. <support@trufflesec.com>`

			`inputs:`
			`path:`
Revert "Add TruffleHog version input for GitHub action (#1064)" (#1068) This reverts commit 8dedd08d895220e35cc1f39550e23047c5200cf3. 2023-02-03 16:05:21 +00:00			`description: Repository path`
shallow cloning + GitHub Action (#2138) * proposed shallow cloning gh action * removing unnecessary steps * adding back in git checkout * removed git cloning + added backward compatibility 2023-12-19 19:56:55 +00:00			`required: false`
			`default: "./"`
Add github action (#295) 2022-04-08 21:33:55 +00:00			`base:`
			`description: Start scanning from here (usually main branch).`
Make GA action default base an empty string. (#996) 2023-01-06 00:48:07 +00:00			`required: false`
			`default: ''`
Add github action (#295) 2022-04-08 21:33:55 +00:00			`head:`
			`description: Scan commits until here (usually dev branch).`
			`required: false`
Update github action to support generic cli command input (#670) * Update github action to support generic cli command input * revert removal of inputs * echo in entrypoint * test custom docker image * revert docker image reference 2022-08-01 22:05:08 +00:00			`extra_args:`
			`default: ''`
			`description: Extra args to be passed to the trufflehog cli.`
			`required: false`
Allow CLI version pinning in GHA (#2397) (#2398) * Allow CLI version pinning in GHA (#2397) * prevent segfault in test-community 2024-02-07 22:58:04 +00:00			`version:`
			`default: 'latest'`
			`description: Scan with this trufflehog cli version.`
			`required: false`
Add github action (#295) 2022-04-08 21:33:55 +00:00			`branding:`
			`icon: "shield"`
			`color: "green"`
shallow cloning + GitHub Action (#2138) * proposed shallow cloning gh action * removing unnecessary steps * adding back in git checkout * removed git cloning + added backward compatibility 2023-12-19 19:56:55 +00:00
Add github action (#295) 2022-04-08 21:33:55 +00:00			`runs:`
shallow cloning + GitHub Action (#2138) * proposed shallow cloning gh action * removing unnecessary steps * adding back in git checkout * removed git cloning + added backward compatibility 2023-12-19 19:56:55 +00:00			`using: "composite"`
			`steps:`
			`- shell: bash`
			`env:`
			`REPO_PATH: ${{ inputs.path }}`
			`BASE: ${{ inputs.base }}`
			`HEAD: ${{ inputs.head }}`
			`ARGS: ${{ inputs.extra_args }}`
Fix commit message single quote escaping on GitHub Action (#2259) 2023-12-24 04:52:27 +00:00			`COMMITS: ${{ toJson(github.event.commits) }}`
Allow CLI version pinning in GHA (#2397) (#2398) * Allow CLI version pinning in GHA (#2397) * prevent segfault in test-community 2024-02-07 22:58:04 +00:00			`VERSION: ${{ inputs.version }}`
shallow cloning + GitHub Action (#2138) * proposed shallow cloning gh action * removing unnecessary steps * adding back in git checkout * removed git cloning + added backward compatibility 2023-12-19 19:56:55 +00:00			`run: \|`
			`##########################################`
			`## ADVANCED USAGE ##`
			`## Scan by BASE & HEAD user inputs ##`
			`## If BASE == HEAD, exit with error ##`
			`##########################################`
			`if [ -n "$BASE" ] \|\| [ -n "$HEAD" ]; then`
			`if [ -n "$BASE" ]; then`
			`base_commit=$(git rev-parse "$BASE" 2>/dev/null) \|\| true`
			`else`
			`base_commit=""`
			`fi`
			`if [ -n "$HEAD" ]; then`
			`head_commit=$(git rev-parse "$HEAD" 2>/dev/null) \|\| true`
			`else`
			`head_commit=""`
			`fi`
			`if [ $base_commit == $head_commit ] ; then`
			`echo "::error::BASE and HEAD commits are the same. TruffleHog won't scan anything. Please see documentation (https://github.com/trufflesecurity/trufflehog#octocat-trufflehog-github-action)."`
			`exit 1`
			`fi`
			`##########################################`
			`## Scan commits based on event type ##`
			`##########################################`
			`else`
			`if [ "${{ github.event_name }}" == "push" ]; then`
Fix non-ASCII whitespace on GitHub Action (#2270) 2024-01-04 02:10:40 +00:00			`COMMIT_LENGTH=$(printenv COMMITS \| jq length)`
shallow cloning + GitHub Action (#2138) * proposed shallow cloning gh action * removing unnecessary steps * adding back in git checkout * removed git cloning + added backward compatibility 2023-12-19 19:56:55 +00:00			`if [ $COMMIT_LENGTH == "0" ]; then`
			`echo "No commits to scan"`
			`exit 0`
			`fi`
			`HEAD=${{ github.event.after }}`
			`if [ ${{ github.event.before }} == "0000000000000000000000000000000000000000" ]; then`
			`BASE=$(git rev-parse $HEAD~$COMMIT_LENGTH)`
			`else`
			`BASE=${{ github.event.before }}`
			`fi`
			`elif [ "${{ github.event_name }}" == "workflow_dispatch" ] \|\| [ "${{ github.event_name }}" == "schedule" ]; then`
			`BASE=""`
			`HEAD=""`
			`elif [ "${{ github.event_name }}" == "pull_request" ]; then`
			`BASE=${{github.event.pull_request.base.sha}}`
			`HEAD=${{github.event.pull_request.head.sha}}`
			`fi`
			`fi`
			`##########################################`
			`## Run TruffleHog ##`
Allow CLI version pinning in GHA (#2397) (#2398) * Allow CLI version pinning in GHA (#2397) * prevent segfault in test-community 2024-02-07 22:58:04 +00:00			`##########################################`
Set GHA workdir (#2393) * set workdir to tmp * add workflow dispatch for easier on demand dogfooding 2024-02-07 14:14:33 +00:00			`docker run --rm -v "$REPO_PATH":/tmp -w /tmp \`
Allow CLI version pinning in GHA (#2397) (#2398) * Allow CLI version pinning in GHA (#2397) * prevent segfault in test-community 2024-02-07 22:58:04 +00:00			`ghcr.io/trufflesecurity/trufflehog:${VERSION} \`
shallow cloning + GitHub Action (#2138) * proposed shallow cloning gh action * removing unnecessary steps * adding back in git checkout * removed git cloning + added backward compatibility 2023-12-19 19:56:55 +00:00			`git file:///tmp/ \`
			`--since-commit \`
			`${BASE:-''} \`
			`--branch \`
			`${HEAD:-''} \`
			`--fail \`
			`--no-update \`
			`--github-actions \`
			`${ARGS:-''}`