mirror of
https://github.com/trufflesecurity/trufflehog.git
synced 2024-11-10 07:04:24 +00:00
shallow cloning + GitHub Action (#2138)
* proposed shallow cloning gh action * removing unnecessary steps * adding back in git checkout * removed git cloning + added backward compatibility
This commit is contained in:
parent
328a3f141f
commit
a6364415e6
3 changed files with 134 additions and 42 deletions
7
.github/workflows/secrets.yml
vendored
7
.github/workflows/secrets.yml
vendored
|
@ -13,10 +13,6 @@ jobs:
|
||||||
test:
|
test:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Install Go
|
|
||||||
uses: actions/setup-go@v4
|
|
||||||
with:
|
|
||||||
go-version: '1.21'
|
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
|
@ -26,7 +22,4 @@ jobs:
|
||||||
uses: ./
|
uses: ./
|
||||||
id: dogfood
|
id: dogfood
|
||||||
with:
|
with:
|
||||||
path: ./
|
|
||||||
base: ${{ github.event.repository.default_branch }}
|
|
||||||
head: HEAD
|
|
||||||
extra_args: --only-verified
|
extra_args: --only-verified
|
||||||
|
|
83
README.md
83
README.md
|
@ -336,6 +336,62 @@ Exit Codes:
|
||||||
|
|
||||||
## :octocat: TruffleHog Github Action
|
## :octocat: TruffleHog Github Action
|
||||||
|
|
||||||
|
### General Usage
|
||||||
|
|
||||||
|
```
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
pull_request:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
test:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Checkout code
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
fetch-depth: 0
|
||||||
|
- name: Secret Scanning
|
||||||
|
uses: trufflesecurity/trufflehog@main
|
||||||
|
with:
|
||||||
|
extra_args: --only-verified
|
||||||
|
```
|
||||||
|
|
||||||
|
In the example config above, we're scanning for live secrets in all PRs and Pushes to `main`. Only code changes in the referenced commits are scanned. If you'd like to scan an entire branch, please see the "Advanced Usage" section below.
|
||||||
|
|
||||||
|
|
||||||
|
### Shallow Cloning
|
||||||
|
|
||||||
|
If you're incorporating TruffleHog into a standalone workflow and aren't running any other CI/CD tooling alongside TruffleHog, then we recommend using [Shallow Cloning](https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---depthltdepthgt) to speed up your workflow. Here's an example for how to do it:
|
||||||
|
|
||||||
|
```
|
||||||
|
...
|
||||||
|
- shell: bash
|
||||||
|
run: |
|
||||||
|
if [ "${{ github.event_name }}" == "push" ]; then
|
||||||
|
echo "depth=$(($(jq length <<< '${{ toJson(github.event.commits) }}') + 2))" >> $GITHUB_ENV
|
||||||
|
echo "branch=${{ github.ref_name }}" >> $GITHUB_ENV
|
||||||
|
fi
|
||||||
|
if [ "${{ github.event_name }}" == "pull_request" ]; then
|
||||||
|
echo "depth=$((${{ github.event.pull_request.commits }}+2))" >> $GITHUB_ENV
|
||||||
|
echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
|
||||||
|
fi
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
with:
|
||||||
|
ref: ${{env.branch}}
|
||||||
|
fetch-depth: ${{env.depth}}
|
||||||
|
- uses: trufflesecurity/trufflehog@main
|
||||||
|
with:
|
||||||
|
extra_args: --only-verified
|
||||||
|
...
|
||||||
|
```
|
||||||
|
|
||||||
|
Depending on the event type (push or PR), we calculate the number of commits present. Then we add 2, so that we can reference a base commit before our code changes. We pass that integer value to the `fetch-depth` flag in the checkout action in addition to the relevant branch. Now our checkout process should be much shorter.
|
||||||
|
|
||||||
|
### Advanced Usage
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
- name: TruffleHog
|
- name: TruffleHog
|
||||||
uses: trufflesecurity/trufflehog@main
|
uses: trufflesecurity/trufflehog@main
|
||||||
|
@ -350,29 +406,16 @@ Exit Codes:
|
||||||
extra_args: --debug --only-verified
|
extra_args: --debug --only-verified
|
||||||
```
|
```
|
||||||
|
|
||||||
The TruffleHog OSS Github Action can be used to scan a range of commits for leaked credentials. The action will fail if
|
If you'd like to specify specific `base` and `head` refs, you can use the `base` argument (`--since-commit` flag in TruffleHog CLI) and the `head` argument (`--branch` flag in the TruffleHog CLI). We only recommend using these arguments for very specific use cases, where the default behavior does not work.
|
||||||
any results are found.
|
|
||||||
|
|
||||||
For example, to scan the contents of pull requests you could use the following workflow:
|
#### Advanced Usage: Scan entire branch
|
||||||
|
```
|
||||||
```yaml
|
- name: scan-push
|
||||||
name: TruffleHog Secrets Scan
|
|
||||||
on: [pull_request]
|
|
||||||
jobs:
|
|
||||||
TruffleHog:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Checkout code
|
|
||||||
uses: actions/checkout@v3
|
|
||||||
with:
|
|
||||||
fetch-depth: 0
|
|
||||||
- name: TruffleHog OSS
|
|
||||||
uses: trufflesecurity/trufflehog@main
|
uses: trufflesecurity/trufflehog@main
|
||||||
with:
|
with:
|
||||||
path: ./
|
base: ""
|
||||||
base: ${{ github.event.repository.default_branch }}
|
head: ${{ github.ref_name }}
|
||||||
head: HEAD
|
extra_args: --only-verified
|
||||||
extra_args: --debug --only-verified
|
|
||||||
```
|
```
|
||||||
|
|
||||||
## Pre-commit Hook
|
## Pre-commit Hook
|
||||||
|
|
86
action.yml
86
action.yml
|
@ -1,11 +1,12 @@
|
||||||
name: 'TruffleHog OSS'
|
name: 'TruffleHog OSS'
|
||||||
description: 'Scan Github Actions with TruffleHog'
|
description: 'Scan Github Actions with TruffleHog.'
|
||||||
author: Truffle Security Co. <support@trufflesec.com>
|
author: Truffle Security Co. <support@trufflesec.com>
|
||||||
|
|
||||||
inputs:
|
inputs:
|
||||||
path:
|
path:
|
||||||
description: Repository path
|
description: Repository path
|
||||||
required: true
|
required: false
|
||||||
|
default: "./"
|
||||||
base:
|
base:
|
||||||
description: Start scanning from here (usually main branch).
|
description: Start scanning from here (usually main branch).
|
||||||
required: false
|
required: false
|
||||||
|
@ -20,17 +21,72 @@ inputs:
|
||||||
branding:
|
branding:
|
||||||
icon: "shield"
|
icon: "shield"
|
||||||
color: "green"
|
color: "green"
|
||||||
|
|
||||||
runs:
|
runs:
|
||||||
using: "docker"
|
using: "composite"
|
||||||
image: "docker://ghcr.io/trufflesecurity/trufflehog:latest"
|
steps:
|
||||||
args:
|
- shell: bash
|
||||||
- git
|
env:
|
||||||
- file://${{ inputs.path }}
|
REPO_PATH: ${{ inputs.path }}
|
||||||
- --since-commit
|
BASE: ${{ inputs.base }}
|
||||||
- ${{ inputs.base }}
|
HEAD: ${{ inputs.head }}
|
||||||
- --branch
|
ARGS: ${{ inputs.extra_args }}
|
||||||
- ${{ inputs.head }}
|
run: |
|
||||||
- --fail
|
##########################################
|
||||||
- --no-update
|
## ADVANCED USAGE ##
|
||||||
- --github-actions
|
## Scan by BASE & HEAD user inputs ##
|
||||||
- ${{ inputs.extra_args }}
|
## If BASE == HEAD, exit with error ##
|
||||||
|
##########################################
|
||||||
|
if [ -n "$BASE" ] || [ -n "$HEAD" ]; then
|
||||||
|
if [ -n "$BASE" ]; then
|
||||||
|
base_commit=$(git rev-parse "$BASE" 2>/dev/null) || true
|
||||||
|
else
|
||||||
|
base_commit=""
|
||||||
|
fi
|
||||||
|
if [ -n "$HEAD" ]; then
|
||||||
|
head_commit=$(git rev-parse "$HEAD" 2>/dev/null) || true
|
||||||
|
else
|
||||||
|
head_commit=""
|
||||||
|
fi
|
||||||
|
if [ $base_commit == $head_commit ] ; then
|
||||||
|
echo "::error::BASE and HEAD commits are the same. TruffleHog won't scan anything. Please see documentation (https://github.com/trufflesecurity/trufflehog#octocat-trufflehog-github-action)."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
##########################################
|
||||||
|
## Scan commits based on event type ##
|
||||||
|
##########################################
|
||||||
|
else
|
||||||
|
if [ "${{ github.event_name }}" == "push" ]; then
|
||||||
|
COMMIT_LENGTH=$(jq length <<< '${{ toJson(github.event.commits) }}')
|
||||||
|
if [ $COMMIT_LENGTH == "0" ]; then
|
||||||
|
echo "No commits to scan"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
HEAD=${{ github.event.after }}
|
||||||
|
if [ ${{ github.event.before }} == "0000000000000000000000000000000000000000" ]; then
|
||||||
|
BASE=$(git rev-parse $HEAD~$COMMIT_LENGTH)
|
||||||
|
else
|
||||||
|
BASE=${{ github.event.before }}
|
||||||
|
fi
|
||||||
|
elif [ "${{ github.event_name }}" == "workflow_dispatch" ] || [ "${{ github.event_name }}" == "schedule" ]; then
|
||||||
|
BASE=""
|
||||||
|
HEAD=""
|
||||||
|
elif [ "${{ github.event_name }}" == "pull_request" ]; then
|
||||||
|
BASE=${{github.event.pull_request.base.sha}}
|
||||||
|
HEAD=${{github.event.pull_request.head.sha}}
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
##########################################
|
||||||
|
## Run TruffleHog ##
|
||||||
|
##########################################
|
||||||
|
docker run --rm -v "$REPO_PATH":/tmp \
|
||||||
|
ghcr.io/trufflesecurity/trufflehog:latest \
|
||||||
|
git file:///tmp/ \
|
||||||
|
--since-commit \
|
||||||
|
${BASE:-''} \
|
||||||
|
--branch \
|
||||||
|
${HEAD:-''} \
|
||||||
|
--fail \
|
||||||
|
--no-update \
|
||||||
|
--github-actions \
|
||||||
|
${ARGS:-''}
|
||||||
|
|
Loading…
Reference in a new issue