From a6364415e6bda69e5e307c0b33281bde6937e972 Mon Sep 17 00:00:00 2001 From: joeleonjr <20135619+joeleonjr@users.noreply.github.com> Date: Tue, 19 Dec 2023 14:56:55 -0500 Subject: [PATCH] shallow cloning + GitHub Action (#2138) * proposed shallow cloning gh action * removing unnecessary steps * adding back in git checkout * removed git cloning + added backward compatibility --- .github/workflows/secrets.yml | 7 --- README.md | 83 +++++++++++++++++++++++++-------- action.yml | 86 +++++++++++++++++++++++++++++------ 3 files changed, 134 insertions(+), 42 deletions(-) diff --git a/.github/workflows/secrets.yml b/.github/workflows/secrets.yml index 311c020cb..45a50b389 100644 --- a/.github/workflows/secrets.yml +++ b/.github/workflows/secrets.yml @@ -13,10 +13,6 @@ jobs: test: runs-on: ubuntu-latest steps: - - name: Install Go - uses: actions/setup-go@v4 - with: - go-version: '1.21' - name: Checkout code uses: actions/checkout@v4 with: @@ -26,7 +22,4 @@ jobs: uses: ./ id: dogfood with: - path: ./ - base: ${{ github.event.repository.default_branch }} - head: HEAD extra_args: --only-verified diff --git a/README.md b/README.md index 503a964af..719802564 100644 --- a/README.md +++ b/README.md @@ -336,6 +336,62 @@ Exit Codes: ## :octocat: TruffleHog Github Action +### General Usage + +``` +on: + push: + branches: + - main + pull_request: + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Secret Scanning + uses: trufflesecurity/trufflehog@main + with: + extra_args: --only-verified +``` + +In the example config above, we're scanning for live secrets in all PRs and Pushes to `main`. Only code changes in the referenced commits are scanned. If you'd like to scan an entire branch, please see the "Advanced Usage" section below. + + +### Shallow Cloning + +If you're incorporating TruffleHog into a standalone workflow and aren't running any other CI/CD tooling alongside TruffleHog, then we recommend using [Shallow Cloning](https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---depthltdepthgt) to speed up your workflow. Here's an example for how to do it: + +``` +... + - shell: bash + run: | + if [ "${{ github.event_name }}" == "push" ]; then + echo "depth=$(($(jq length <<< '${{ toJson(github.event.commits) }}') + 2))" >> $GITHUB_ENV + echo "branch=${{ github.ref_name }}" >> $GITHUB_ENV + fi + if [ "${{ github.event_name }}" == "pull_request" ]; then + echo "depth=$((${{ github.event.pull_request.commits }}+2))" >> $GITHUB_ENV + echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV + fi + - uses: actions/checkout@v3 + with: + ref: ${{env.branch}} + fetch-depth: ${{env.depth}} + - uses: trufflesecurity/trufflehog@main + with: + extra_args: --only-verified +... +``` + +Depending on the event type (push or PR), we calculate the number of commits present. Then we add 2, so that we can reference a base commit before our code changes. We pass that integer value to the `fetch-depth` flag in the checkout action in addition to the relevant branch. Now our checkout process should be much shorter. + +### Advanced Usage + ```yaml - name: TruffleHog uses: trufflesecurity/trufflehog@main @@ -350,29 +406,16 @@ Exit Codes: extra_args: --debug --only-verified ``` -The TruffleHog OSS Github Action can be used to scan a range of commits for leaked credentials. The action will fail if -any results are found. +If you'd like to specify specific `base` and `head` refs, you can use the `base` argument (`--since-commit` flag in TruffleHog CLI) and the `head` argument (`--branch` flag in the TruffleHog CLI). We only recommend using these arguments for very specific use cases, where the default behavior does not work. -For example, to scan the contents of pull requests you could use the following workflow: - -```yaml -name: TruffleHog Secrets Scan -on: [pull_request] -jobs: - TruffleHog: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - name: TruffleHog OSS +#### Advanced Usage: Scan entire branch +``` +- name: scan-push uses: trufflesecurity/trufflehog@main with: - path: ./ - base: ${{ github.event.repository.default_branch }} - head: HEAD - extra_args: --debug --only-verified + base: "" + head: ${{ github.ref_name }} + extra_args: --only-verified ``` ## Pre-commit Hook diff --git a/action.yml b/action.yml index 3632ebbbe..5262e6e47 100644 --- a/action.yml +++ b/action.yml @@ -1,11 +1,12 @@ name: 'TruffleHog OSS' -description: 'Scan Github Actions with TruffleHog' +description: 'Scan Github Actions with TruffleHog.' author: Truffle Security Co. inputs: path: description: Repository path - required: true + required: false + default: "./" base: description: Start scanning from here (usually main branch). required: false @@ -20,17 +21,72 @@ inputs: branding: icon: "shield" color: "green" + runs: - using: "docker" - image: "docker://ghcr.io/trufflesecurity/trufflehog:latest" - args: - - git - - file://${{ inputs.path }} - - --since-commit - - ${{ inputs.base }} - - --branch - - ${{ inputs.head }} - - --fail - - --no-update - - --github-actions - - ${{ inputs.extra_args }} + using: "composite" + steps: + - shell: bash + env: + REPO_PATH: ${{ inputs.path }} + BASE: ${{ inputs.base }} + HEAD: ${{ inputs.head }} + ARGS: ${{ inputs.extra_args }} + run: | + ########################################## + ## ADVANCED USAGE ## + ## Scan by BASE & HEAD user inputs ## + ## If BASE == HEAD, exit with error ## + ########################################## + if [ -n "$BASE" ] || [ -n "$HEAD" ]; then + if [ -n "$BASE" ]; then + base_commit=$(git rev-parse "$BASE" 2>/dev/null) || true + else + base_commit="" + fi + if [ -n "$HEAD" ]; then + head_commit=$(git rev-parse "$HEAD" 2>/dev/null) || true + else + head_commit="" + fi + if [ $base_commit == $head_commit ] ; then + echo "::error::BASE and HEAD commits are the same. TruffleHog won't scan anything. Please see documentation (https://github.com/trufflesecurity/trufflehog#octocat-trufflehog-github-action)." + exit 1 + fi + ########################################## + ## Scan commits based on event type ## + ########################################## + else + if [ "${{ github.event_name }}" == "push" ]; then + COMMIT_LENGTH=$(jq length <<< '${{ toJson(github.event.commits) }}') + if [ $COMMIT_LENGTH == "0" ]; then + echo "No commits to scan" + exit 0 + fi + HEAD=${{ github.event.after }} + if [ ${{ github.event.before }} == "0000000000000000000000000000000000000000" ]; then + BASE=$(git rev-parse $HEAD~$COMMIT_LENGTH) + else + BASE=${{ github.event.before }} + fi + elif [ "${{ github.event_name }}" == "workflow_dispatch" ] || [ "${{ github.event_name }}" == "schedule" ]; then + BASE="" + HEAD="" + elif [ "${{ github.event_name }}" == "pull_request" ]; then + BASE=${{github.event.pull_request.base.sha}} + HEAD=${{github.event.pull_request.head.sha}} + fi + fi + ########################################## + ## Run TruffleHog ## + ########################################## + docker run --rm -v "$REPO_PATH":/tmp \ + ghcr.io/trufflesecurity/trufflehog:latest \ + git file:///tmp/ \ + --since-commit \ + ${BASE:-''} \ + --branch \ + ${HEAD:-''} \ + --fail \ + --no-update \ + --github-actions \ + ${ARGS:-''}