mirror of
https://github.com/trufflesecurity/trufflehog.git
synced 2024-09-20 06:31:57 +00:00
shallow cloning + GitHub Action (#2138)
* proposed shallow cloning gh action * removing unnecessary steps * adding back in git checkout * removed git cloning + added backward compatibility
This commit is contained in:
parent
328a3f141f
commit
a6364415e6
3 changed files with 134 additions and 42 deletions
7
.github/workflows/secrets.yml
vendored
7
.github/workflows/secrets.yml
vendored
|
@ -13,10 +13,6 @@ jobs:
|
|||
test:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Install Go
|
||||
uses: actions/setup-go@v4
|
||||
with:
|
||||
go-version: '1.21'
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
|
@ -26,7 +22,4 @@ jobs:
|
|||
uses: ./
|
||||
id: dogfood
|
||||
with:
|
||||
path: ./
|
||||
base: ${{ github.event.repository.default_branch }}
|
||||
head: HEAD
|
||||
extra_args: --only-verified
|
||||
|
|
83
README.md
83
README.md
|
@ -336,6 +336,62 @@ Exit Codes:
|
|||
|
||||
## :octocat: TruffleHog Github Action
|
||||
|
||||
### General Usage
|
||||
|
||||
```
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
pull_request:
|
||||
|
||||
jobs:
|
||||
test:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: Secret Scanning
|
||||
uses: trufflesecurity/trufflehog@main
|
||||
with:
|
||||
extra_args: --only-verified
|
||||
```
|
||||
|
||||
In the example config above, we're scanning for live secrets in all PRs and Pushes to `main`. Only code changes in the referenced commits are scanned. If you'd like to scan an entire branch, please see the "Advanced Usage" section below.
|
||||
|
||||
|
||||
### Shallow Cloning
|
||||
|
||||
If you're incorporating TruffleHog into a standalone workflow and aren't running any other CI/CD tooling alongside TruffleHog, then we recommend using [Shallow Cloning](https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---depthltdepthgt) to speed up your workflow. Here's an example for how to do it:
|
||||
|
||||
```
|
||||
...
|
||||
- shell: bash
|
||||
run: |
|
||||
if [ "${{ github.event_name }}" == "push" ]; then
|
||||
echo "depth=$(($(jq length <<< '${{ toJson(github.event.commits) }}') + 2))" >> $GITHUB_ENV
|
||||
echo "branch=${{ github.ref_name }}" >> $GITHUB_ENV
|
||||
fi
|
||||
if [ "${{ github.event_name }}" == "pull_request" ]; then
|
||||
echo "depth=$((${{ github.event.pull_request.commits }}+2))" >> $GITHUB_ENV
|
||||
echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
|
||||
fi
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
ref: ${{env.branch}}
|
||||
fetch-depth: ${{env.depth}}
|
||||
- uses: trufflesecurity/trufflehog@main
|
||||
with:
|
||||
extra_args: --only-verified
|
||||
...
|
||||
```
|
||||
|
||||
Depending on the event type (push or PR), we calculate the number of commits present. Then we add 2, so that we can reference a base commit before our code changes. We pass that integer value to the `fetch-depth` flag in the checkout action in addition to the relevant branch. Now our checkout process should be much shorter.
|
||||
|
||||
### Advanced Usage
|
||||
|
||||
```yaml
|
||||
- name: TruffleHog
|
||||
uses: trufflesecurity/trufflehog@main
|
||||
|
@ -350,29 +406,16 @@ Exit Codes:
|
|||
extra_args: --debug --only-verified
|
||||
```
|
||||
|
||||
The TruffleHog OSS Github Action can be used to scan a range of commits for leaked credentials. The action will fail if
|
||||
any results are found.
|
||||
If you'd like to specify specific `base` and `head` refs, you can use the `base` argument (`--since-commit` flag in TruffleHog CLI) and the `head` argument (`--branch` flag in the TruffleHog CLI). We only recommend using these arguments for very specific use cases, where the default behavior does not work.
|
||||
|
||||
For example, to scan the contents of pull requests you could use the following workflow:
|
||||
|
||||
```yaml
|
||||
name: TruffleHog Secrets Scan
|
||||
on: [pull_request]
|
||||
jobs:
|
||||
TruffleHog:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: TruffleHog OSS
|
||||
#### Advanced Usage: Scan entire branch
|
||||
```
|
||||
- name: scan-push
|
||||
uses: trufflesecurity/trufflehog@main
|
||||
with:
|
||||
path: ./
|
||||
base: ${{ github.event.repository.default_branch }}
|
||||
head: HEAD
|
||||
extra_args: --debug --only-verified
|
||||
base: ""
|
||||
head: ${{ github.ref_name }}
|
||||
extra_args: --only-verified
|
||||
```
|
||||
|
||||
## Pre-commit Hook
|
||||
|
|
86
action.yml
86
action.yml
|
@ -1,11 +1,12 @@
|
|||
name: 'TruffleHog OSS'
|
||||
description: 'Scan Github Actions with TruffleHog'
|
||||
description: 'Scan Github Actions with TruffleHog.'
|
||||
author: Truffle Security Co. <support@trufflesec.com>
|
||||
|
||||
inputs:
|
||||
path:
|
||||
description: Repository path
|
||||
required: true
|
||||
required: false
|
||||
default: "./"
|
||||
base:
|
||||
description: Start scanning from here (usually main branch).
|
||||
required: false
|
||||
|
@ -20,17 +21,72 @@ inputs:
|
|||
branding:
|
||||
icon: "shield"
|
||||
color: "green"
|
||||
|
||||
runs:
|
||||
using: "docker"
|
||||
image: "docker://ghcr.io/trufflesecurity/trufflehog:latest"
|
||||
args:
|
||||
- git
|
||||
- file://${{ inputs.path }}
|
||||
- --since-commit
|
||||
- ${{ inputs.base }}
|
||||
- --branch
|
||||
- ${{ inputs.head }}
|
||||
- --fail
|
||||
- --no-update
|
||||
- --github-actions
|
||||
- ${{ inputs.extra_args }}
|
||||
using: "composite"
|
||||
steps:
|
||||
- shell: bash
|
||||
env:
|
||||
REPO_PATH: ${{ inputs.path }}
|
||||
BASE: ${{ inputs.base }}
|
||||
HEAD: ${{ inputs.head }}
|
||||
ARGS: ${{ inputs.extra_args }}
|
||||
run: |
|
||||
##########################################
|
||||
## ADVANCED USAGE ##
|
||||
## Scan by BASE & HEAD user inputs ##
|
||||
## If BASE == HEAD, exit with error ##
|
||||
##########################################
|
||||
if [ -n "$BASE" ] || [ -n "$HEAD" ]; then
|
||||
if [ -n "$BASE" ]; then
|
||||
base_commit=$(git rev-parse "$BASE" 2>/dev/null) || true
|
||||
else
|
||||
base_commit=""
|
||||
fi
|
||||
if [ -n "$HEAD" ]; then
|
||||
head_commit=$(git rev-parse "$HEAD" 2>/dev/null) || true
|
||||
else
|
||||
head_commit=""
|
||||
fi
|
||||
if [ $base_commit == $head_commit ] ; then
|
||||
echo "::error::BASE and HEAD commits are the same. TruffleHog won't scan anything. Please see documentation (https://github.com/trufflesecurity/trufflehog#octocat-trufflehog-github-action)."
|
||||
exit 1
|
||||
fi
|
||||
##########################################
|
||||
## Scan commits based on event type ##
|
||||
##########################################
|
||||
else
|
||||
if [ "${{ github.event_name }}" == "push" ]; then
|
||||
COMMIT_LENGTH=$(jq length <<< '${{ toJson(github.event.commits) }}')
|
||||
if [ $COMMIT_LENGTH == "0" ]; then
|
||||
echo "No commits to scan"
|
||||
exit 0
|
||||
fi
|
||||
HEAD=${{ github.event.after }}
|
||||
if [ ${{ github.event.before }} == "0000000000000000000000000000000000000000" ]; then
|
||||
BASE=$(git rev-parse $HEAD~$COMMIT_LENGTH)
|
||||
else
|
||||
BASE=${{ github.event.before }}
|
||||
fi
|
||||
elif [ "${{ github.event_name }}" == "workflow_dispatch" ] || [ "${{ github.event_name }}" == "schedule" ]; then
|
||||
BASE=""
|
||||
HEAD=""
|
||||
elif [ "${{ github.event_name }}" == "pull_request" ]; then
|
||||
BASE=${{github.event.pull_request.base.sha}}
|
||||
HEAD=${{github.event.pull_request.head.sha}}
|
||||
fi
|
||||
fi
|
||||
##########################################
|
||||
## Run TruffleHog ##
|
||||
##########################################
|
||||
docker run --rm -v "$REPO_PATH":/tmp \
|
||||
ghcr.io/trufflesecurity/trufflehog:latest \
|
||||
git file:///tmp/ \
|
||||
--since-commit \
|
||||
${BASE:-''} \
|
||||
--branch \
|
||||
${HEAD:-''} \
|
||||
--fail \
|
||||
--no-update \
|
||||
--github-actions \
|
||||
${ARGS:-''}
|
||||
|
|
Loading…
Reference in a new issue