shallow cloning + GitHub Action (#2138)

* proposed shallow cloning gh action

* removing unnecessary steps

* adding back in git checkout

* removed git cloning + added backward compatibility
This commit is contained in:
joeleonjr 2023-12-19 14:56:55 -05:00 committed by GitHub
parent 328a3f141f
commit a6364415e6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 134 additions and 42 deletions

View file

@ -13,10 +13,6 @@ jobs:
test: test:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Install Go
uses: actions/setup-go@v4
with:
go-version: '1.21'
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
@ -26,7 +22,4 @@ jobs:
uses: ./ uses: ./
id: dogfood id: dogfood
with: with:
path: ./
base: ${{ github.event.repository.default_branch }}
head: HEAD
extra_args: --only-verified extra_args: --only-verified

View file

@ -336,6 +336,62 @@ Exit Codes:
## :octocat: TruffleHog Github Action ## :octocat: TruffleHog Github Action
### General Usage
```
on:
push:
branches:
- main
pull_request:
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Secret Scanning
uses: trufflesecurity/trufflehog@main
with:
extra_args: --only-verified
```
In the example config above, we're scanning for live secrets in all PRs and Pushes to `main`. Only code changes in the referenced commits are scanned. If you'd like to scan an entire branch, please see the "Advanced Usage" section below.
### Shallow Cloning
If you're incorporating TruffleHog into a standalone workflow and aren't running any other CI/CD tooling alongside TruffleHog, then we recommend using [Shallow Cloning](https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---depthltdepthgt) to speed up your workflow. Here's an example for how to do it:
```
...
- shell: bash
run: |
if [ "${{ github.event_name }}" == "push" ]; then
echo "depth=$(($(jq length <<< '${{ toJson(github.event.commits) }}') + 2))" >> $GITHUB_ENV
echo "branch=${{ github.ref_name }}" >> $GITHUB_ENV
fi
if [ "${{ github.event_name }}" == "pull_request" ]; then
echo "depth=$((${{ github.event.pull_request.commits }}+2))" >> $GITHUB_ENV
echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
fi
- uses: actions/checkout@v3
with:
ref: ${{env.branch}}
fetch-depth: ${{env.depth}}
- uses: trufflesecurity/trufflehog@main
with:
extra_args: --only-verified
...
```
Depending on the event type (push or PR), we calculate the number of commits present. Then we add 2, so that we can reference a base commit before our code changes. We pass that integer value to the `fetch-depth` flag in the checkout action in addition to the relevant branch. Now our checkout process should be much shorter.
### Advanced Usage
```yaml ```yaml
- name: TruffleHog - name: TruffleHog
uses: trufflesecurity/trufflehog@main uses: trufflesecurity/trufflehog@main
@ -350,29 +406,16 @@ Exit Codes:
extra_args: --debug --only-verified extra_args: --debug --only-verified
``` ```
The TruffleHog OSS Github Action can be used to scan a range of commits for leaked credentials. The action will fail if If you'd like to specify specific `base` and `head` refs, you can use the `base` argument (`--since-commit` flag in TruffleHog CLI) and the `head` argument (`--branch` flag in the TruffleHog CLI). We only recommend using these arguments for very specific use cases, where the default behavior does not work.
any results are found.
For example, to scan the contents of pull requests you could use the following workflow: #### Advanced Usage: Scan entire branch
```
```yaml - name: scan-push
name: TruffleHog Secrets Scan
on: [pull_request]
jobs:
TruffleHog:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: TruffleHog OSS
uses: trufflesecurity/trufflehog@main uses: trufflesecurity/trufflehog@main
with: with:
path: ./ base: ""
base: ${{ github.event.repository.default_branch }} head: ${{ github.ref_name }}
head: HEAD extra_args: --only-verified
extra_args: --debug --only-verified
``` ```
## Pre-commit Hook ## Pre-commit Hook

View file

@ -1,11 +1,12 @@
name: 'TruffleHog OSS' name: 'TruffleHog OSS'
description: 'Scan Github Actions with TruffleHog' description: 'Scan Github Actions with TruffleHog.'
author: Truffle Security Co. <support@trufflesec.com> author: Truffle Security Co. <support@trufflesec.com>
inputs: inputs:
path: path:
description: Repository path description: Repository path
required: true required: false
default: "./"
base: base:
description: Start scanning from here (usually main branch). description: Start scanning from here (usually main branch).
required: false required: false
@ -20,17 +21,72 @@ inputs:
branding: branding:
icon: "shield" icon: "shield"
color: "green" color: "green"
runs: runs:
using: "docker" using: "composite"
image: "docker://ghcr.io/trufflesecurity/trufflehog:latest" steps:
args: - shell: bash
- git env:
- file://${{ inputs.path }} REPO_PATH: ${{ inputs.path }}
- --since-commit BASE: ${{ inputs.base }}
- ${{ inputs.base }} HEAD: ${{ inputs.head }}
- --branch ARGS: ${{ inputs.extra_args }}
- ${{ inputs.head }} run: |
- --fail ##########################################
- --no-update ## ADVANCED USAGE ##
- --github-actions ## Scan by BASE & HEAD user inputs ##
- ${{ inputs.extra_args }} ## If BASE == HEAD, exit with error ##
##########################################
if [ -n "$BASE" ] || [ -n "$HEAD" ]; then
if [ -n "$BASE" ]; then
base_commit=$(git rev-parse "$BASE" 2>/dev/null) || true
else
base_commit=""
fi
if [ -n "$HEAD" ]; then
head_commit=$(git rev-parse "$HEAD" 2>/dev/null) || true
else
head_commit=""
fi
if [ $base_commit == $head_commit ] ; then
echo "::error::BASE and HEAD commits are the same. TruffleHog won't scan anything. Please see documentation (https://github.com/trufflesecurity/trufflehog#octocat-trufflehog-github-action)."
exit 1
fi
##########################################
## Scan commits based on event type ##
##########################################
else
if [ "${{ github.event_name }}" == "push" ]; then
COMMIT_LENGTH=$(jq length <<< '${{ toJson(github.event.commits) }}')
if [ $COMMIT_LENGTH == "0" ]; then
echo "No commits to scan"
exit 0
fi
HEAD=${{ github.event.after }}
if [ ${{ github.event.before }} == "0000000000000000000000000000000000000000" ]; then
BASE=$(git rev-parse $HEAD~$COMMIT_LENGTH)
else
BASE=${{ github.event.before }}
fi
elif [ "${{ github.event_name }}" == "workflow_dispatch" ] || [ "${{ github.event_name }}" == "schedule" ]; then
BASE=""
HEAD=""
elif [ "${{ github.event_name }}" == "pull_request" ]; then
BASE=${{github.event.pull_request.base.sha}}
HEAD=${{github.event.pull_request.head.sha}}
fi
fi
##########################################
## Run TruffleHog ##
##########################################
docker run --rm -v "$REPO_PATH":/tmp \
ghcr.io/trufflesecurity/trufflehog:latest \
git file:///tmp/ \
--since-commit \
${BASE:-''} \
--branch \
${HEAD:-''} \
--fail \
--no-update \
--github-actions \
${ARGS:-''}