Add GitHub Actions output (#1201)

* Add GitHub Actions output Co-authored-by: Mike Vanbuskirk <mike.vanbuskirk@trufflesec.com>
2024-09-20 06:31:57 +00:00 · 2023-03-28 09:07:26 -07:00 · 2023-03-28 09:07:26 -07:00 · cb454bfc05
commit cb454bfc05
parent fb9ae75661
6 changed files with 95 additions and 16 deletions
--- a/action.yml
+++ b/action.yml
@ -17,6 +17,9 @@ inputs:
    default: ''
    description: Extra args to be passed to the trufflehog cli.
    required: false
+outputs:
+  results:
+    description: 'Trufflehog scan results'
 branding:
  icon: "shield"
  color: "green"
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -3,4 +3,5 @@
 # Parse the last argument into an array of extra_args.
 mapfile -t extra_args < <(bash -c "for arg in ${*: -1}; do echo \$arg; done")

-/usr/bin/trufflehog "${@: 1: $#-1}" "${extra_args[@]}"
+results=$(/usr/bin/trufflehog "${@: 1: $#-1}" "${extra_args[@]}")
+echo "results=$results" >> $GITHUB_OUTPUT
--- a/main.go
+++ b/main.go
@ -41,6 +41,7 @@ var (
 	profile             = cli.Flag("profile", "Enables profiling and sets a pprof and fgprof server on :18066.").Bool()
 	jsonOut             = cli.Flag("json", "Output in JSON format.").Short('j').Bool()
 	jsonLegacy          = cli.Flag("json-legacy", "Use the pre-v3.0 JSON format. Only works with git, gitlab, and github sources.").Bool()
+	gitHubActionsFormat = cli.Flag("github-actions", "Output in GitHub Actions format.").Bool()
 	concurrency         = cli.Flag("concurrency", "Number of concurrent workers.").Default(strconv.Itoa(runtime.NumCPU())).Int()
 	noVerification      = cli.Flag("no-verification", "Don't verify the results.").Bool()
 	onlyVerified        = cli.Flag("only-verified", "Only output verified results.").Bool()
@ -441,6 +442,8 @@ func run(state overseer.State) {
 			err = output.PrintLegacyJSON(ctx, &r)
 		case *jsonOut:
 			err = output.PrintJSON(&r)
+		case *gitHubActionsFormat:
+			err = output.PrintGitHubActionsOutput(&r)
 		default:
 			err = output.PrintPlainOutput(&r)
 		}
--- a/pkg/output/github_actions.go
+++ b/pkg/output/github_actions.go
@ -0,0 +1,72 @@
+package output
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+
+	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
+)
+
+var dedupeCache = make(map[string]struct{})
+
+func PrintGitHubActionsOutput(r *detectors.ResultWithMetadata) error {
+	out := gitHubActionsOutputFormat{
+		DetectorType: r.Result.DetectorType.String(),
+		DecoderType:  r.Result.DecoderType.String(),
+		Verified:     r.Result.Verified,
+	}
+
+	meta, err := structToMap(r.SourceMetadata.Data)
+	if err != nil {
+		return fmt.Errorf("could not marshal result: %w", err)
+	}
+
+	for _, data := range meta {
+		for k, v := range data {
+			if k == "line" {
+				if line, ok := v.(float64); ok {
+					out.StartLine = int64(line)
+				}
+			}
+			if k == "file" {
+				if filename, ok := v.(string); ok {
+					out.Filename = filename
+				}
+			}
+		}
+	}
+
+	verifiedStatus := "unverified"
+	if out.Verified {
+		verifiedStatus = "verified"
+	}
+
+	key := fmt.Sprintf("%s:%s:%s:%s:%d", out.DecoderType, out.DetectorType, verifiedStatus, out.Filename, out.StartLine)
+	h := sha256.New()
+	h.Write([]byte(key))
+	key = hex.EncodeToString(h.Sum(nil))
+	if _, ok := dedupeCache[key]; ok {
+		return nil
+	}
+	dedupeCache[key] = struct{}{}
+
+	message := fmt.Sprintf("Found %s %s result 🐷🔑\n", verifiedStatus, out.DetectorType)
+	if r.Result.DecoderType != detectorspb.DecoderType_PLAIN {
+		message = fmt.Sprintf("Found %s %s result with %s encoding 🐷🔑\n", verifiedStatus, out.DetectorType, out.DecoderType)
+	}
+
+	fmt.Printf("::warning file=%s,line=%d,endLine=%d::%s",
+		out.Filename, out.StartLine, out.StartLine, message)
+
+	return nil
+}
+
+type gitHubActionsOutputFormat struct {
+	DetectorType,
+	DecoderType string
+	Verified  bool
+	StartLine int64
+	Filename  string
+}