shallow cloning + GitHub Action (#2138)

* proposed shallow cloning gh action * removing unnecessary steps * adding back in git checkout * removed git cloning + added backward compatibility
2024-09-20 06:31:57 +00:00 · 2023-12-19 14:56:55 -05:00 · 2023-12-19 14:56:55 -05:00 · a6364415e6
commit a6364415e6
parent 328a3f141f
3 changed files with 134 additions and 42 deletions
--- a/.github/workflows/secrets.yml
+++ b/.github/workflows/secrets.yml
@ -13,10 +13,6 @@ jobs:
  test:
    runs-on: ubuntu-latest
    steps:
-    - name: Install Go
-      uses: actions/setup-go@v4
-      with:
-        go-version: '1.21'
    - name: Checkout code
      uses: actions/checkout@v4
      with:
@ -26,7 +22,4 @@ jobs:
      uses: ./
      id: dogfood
      with:
-        path: ./
-        base: ${{ github.event.repository.default_branch }}
-        head: HEAD
        extra_args: --only-verified
--- a/README.md
+++ b/README.md
@ -336,6 +336,62 @@ Exit Codes:

 ## :octocat: TruffleHog Github Action

+### General Usage
+
+```
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Secret Scanning
+      uses: trufflesecurity/trufflehog@main
+      with:
+        extra_args: --only-verified
+```
+
+In the example config above, we're scanning for live secrets in all PRs and Pushes to `main`. Only code changes in the referenced commits are scanned. If you'd like to scan an entire branch, please see the "Advanced Usage" section below.
+
+
+### Shallow Cloning
+
+If you're incorporating TruffleHog into a standalone workflow and aren't running any other CI/CD tooling alongside TruffleHog, then we recommend using [Shallow Cloning](https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---depthltdepthgt) to speed up your workflow. Here's an example for how to do it:
+
+```
+...
+      - shell: bash
+        run: |
+          if [ "${{ github.event_name }}" == "push" ]; then
+            echo "depth=$(($(jq length <<< '${{ toJson(github.event.commits) }}') + 2))" >> $GITHUB_ENV
+            echo "branch=${{ github.ref_name }}" >> $GITHUB_ENV
+          fi
+          if [ "${{ github.event_name }}" == "pull_request" ]; then
+            echo "depth=$((${{ github.event.pull_request.commits }}+2))" >> $GITHUB_ENV
+            echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
+          fi
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{env.branch}}
+          fetch-depth: ${{env.depth}}
+      - uses: trufflesecurity/trufflehog@main
+        with:
+          extra_args: --only-verified
+...
+```
+
+Depending on the event type (push or PR), we calculate the number of commits present. Then we add 2, so that we can reference a base commit before our code changes. We pass that integer value to the `fetch-depth` flag in the checkout action in addition to the relevant branch. Now our checkout process should be much shorter.
+
+### Advanced Usage
+
 ```yaml
 - name: TruffleHog
  uses: trufflesecurity/trufflehog@main
@ -350,29 +406,16 @@ Exit Codes:
    extra_args: --debug --only-verified
 ```

-The TruffleHog OSS Github Action can be used to scan a range of commits for leaked credentials. The action will fail if
-any results are found.
+If you'd like to specify specific `base` and `head` refs, you can use the `base` argument (`--since-commit` flag in TruffleHog CLI) and the `head` argument (`--branch` flag in the TruffleHog CLI). We only recommend using these arguments for very specific use cases, where the default behavior does not work.

-For example, to scan the contents of pull requests you could use the following workflow:
-
-```yaml
-name: TruffleHog Secrets Scan
-on: [pull_request]
-jobs:
-  TruffleHog:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: TruffleHog OSS
+#### Advanced Usage: Scan entire branch
+```
+- name: scan-push
        uses: trufflesecurity/trufflehog@main
        with:
-          path: ./
-          base: ${{ github.event.repository.default_branch }}
-          head: HEAD
-          extra_args: --debug --only-verified
+          base: ""
+          head: ${{ github.ref_name }}
+          extra_args: --only-verified
 ```

 ## Pre-commit Hook
--- a/action.yml
+++ b/action.yml
@ -1,11 +1,12 @@
 name: 'TruffleHog OSS'
-description: 'Scan Github Actions with TruffleHog'
+description: 'Scan Github Actions with TruffleHog.'
 author: Truffle Security Co. <support@trufflesec.com>

 inputs:
  path:
    description: Repository path
-    required: true
+    required: false
+    default: "./"
  base:
    description: Start scanning from here (usually main branch).
    required: false
@ -20,17 +21,72 @@ inputs:
 branding:
  icon: "shield"
  color: "green"
+
 runs:
-  using: "docker"
-  image: "docker://ghcr.io/trufflesecurity/trufflehog:latest"
-  args:
-    - git
-    - file://${{ inputs.path }}
-    - --since-commit
-    - ${{ inputs.base }}
-    - --branch
-    - ${{ inputs.head }}
-    - --fail
-    - --no-update
-    - --github-actions
-    - ${{ inputs.extra_args }}
+  using: "composite"
+  steps:
+  - shell: bash
+    env:
+      REPO_PATH: ${{ inputs.path }}
+      BASE: ${{ inputs.base }}
+      HEAD: ${{ inputs.head }}
+      ARGS: ${{ inputs.extra_args }}
+    run: |
+      ##########################################
+      ## ADVANCED USAGE                       ##
+      ## Scan by BASE & HEAD user inputs      ##
+      ## If BASE == HEAD, exit with error     ##
+      ##########################################
+      if [ -n "$BASE" ] || [ -n "$HEAD" ]; then
+        if [ -n "$BASE" ]; then
+          base_commit=$(git rev-parse "$BASE" 2>/dev/null) || true
+        else
+          base_commit=""
+        fi
+        if [ -n "$HEAD" ]; then
+          head_commit=$(git rev-parse "$HEAD" 2>/dev/null) || true
+        else
+          head_commit=""
+        fi
+        if [ $base_commit == $head_commit ] ; then
+          echo "::error::BASE and HEAD commits are the same. TruffleHog won't scan anything. Please see documentation (https://github.com/trufflesecurity/trufflehog#octocat-trufflehog-github-action)."
+          exit 1
+        fi
+      ##########################################
+      ## Scan commits based on event type     ##
+      ##########################################
+      else
+        if [ "${{ github.event_name }}" == "push" ]; then
+          COMMIT_LENGTH=$(jq length <<< '${{ toJson(github.event.commits) }}')
+          if [ $COMMIT_LENGTH == "0" ]; then
+            echo "No commits to scan"
+            exit 0
+          fi
+          HEAD=${{ github.event.after }}
+          if [ ${{ github.event.before }} == "0000000000000000000000000000000000000000" ]; then
+            BASE=$(git rev-parse $HEAD~$COMMIT_LENGTH)
+          else
+            BASE=${{ github.event.before }}
+          fi
+        elif [ "${{ github.event_name }}" == "workflow_dispatch" ] || [ "${{ github.event_name }}" == "schedule" ]; then
+          BASE=""
+          HEAD=""
+        elif [ "${{ github.event_name }}" == "pull_request" ]; then
+          BASE=${{github.event.pull_request.base.sha}}
+          HEAD=${{github.event.pull_request.head.sha}}
+        fi
+      fi
+      ##########################################
+      ##          Run TruffleHog              ##
+      ##########################################       
+      docker run --rm -v "$REPO_PATH":/tmp \
+      ghcr.io/trufflesecurity/trufflehog:latest \
+      git file:///tmp/ \
+      --since-commit \
+      ${BASE:-''} \
+      --branch \
+      ${HEAD:-''} \
+      --fail \
+      --no-update \
+      --github-actions \
+      ${ARGS:-''}