mirror of
https://github.com/trufflesecurity/trufflehog.git
synced 2024-09-20 14:42:03 +00:00
Add GitHub Actions output (#1201)
* Add GitHub Actions output Co-authored-by: Mike Vanbuskirk <mike.vanbuskirk@trufflesec.com>
This commit is contained in:
parent
fb9ae75661
commit
cb454bfc05
6 changed files with 95 additions and 16 deletions
4
.github/workflows/secrets.yml
vendored
4
.github/workflows/secrets.yml
vendored
|
@ -7,7 +7,7 @@ on:
|
|||
- v*
|
||||
branches:
|
||||
- main
|
||||
pull_request:
|
||||
pull_request:
|
||||
|
||||
jobs:
|
||||
test:
|
||||
|
@ -28,4 +28,4 @@ jobs:
|
|||
with:
|
||||
path: ./
|
||||
base: ${{ github.event.repository.default_branch }}
|
||||
head: HEAD
|
||||
head: HEAD
|
||||
|
|
2
Makefile
2
Makefile
|
@ -62,4 +62,4 @@ snifftest:
|
|||
./hack/snifftest/snifftest.sh
|
||||
|
||||
test-release:
|
||||
goreleaser release --rm-dist --skip-publish --snapshot
|
||||
goreleaser release --rm-dist --skip-publish --snapshot
|
||||
|
|
|
@ -17,6 +17,9 @@ inputs:
|
|||
default: ''
|
||||
description: Extra args to be passed to the trufflehog cli.
|
||||
required: false
|
||||
outputs:
|
||||
results:
|
||||
description: 'Trufflehog scan results'
|
||||
branding:
|
||||
icon: "shield"
|
||||
color: "green"
|
||||
|
|
|
@ -3,4 +3,5 @@
|
|||
# Parse the last argument into an array of extra_args.
|
||||
mapfile -t extra_args < <(bash -c "for arg in ${*: -1}; do echo \$arg; done")
|
||||
|
||||
/usr/bin/trufflehog "${@: 1: $#-1}" "${extra_args[@]}"
|
||||
results=$(/usr/bin/trufflehog "${@: 1: $#-1}" "${extra_args[@]}")
|
||||
echo "results=$results" >> $GITHUB_OUTPUT
|
||||
|
|
27
main.go
27
main.go
|
@ -34,18 +34,19 @@ import (
|
|||
)
|
||||
|
||||
var (
|
||||
cli = kingpin.New("TruffleHog", "TruffleHog is a tool for finding credentials.")
|
||||
cmd string
|
||||
debug = cli.Flag("debug", "Run in debug mode.").Bool()
|
||||
trace = cli.Flag("trace", "Run in trace mode.").Bool()
|
||||
profile = cli.Flag("profile", "Enables profiling and sets a pprof and fgprof server on :18066.").Bool()
|
||||
jsonOut = cli.Flag("json", "Output in JSON format.").Short('j').Bool()
|
||||
jsonLegacy = cli.Flag("json-legacy", "Use the pre-v3.0 JSON format. Only works with git, gitlab, and github sources.").Bool()
|
||||
concurrency = cli.Flag("concurrency", "Number of concurrent workers.").Default(strconv.Itoa(runtime.NumCPU())).Int()
|
||||
noVerification = cli.Flag("no-verification", "Don't verify the results.").Bool()
|
||||
onlyVerified = cli.Flag("only-verified", "Only output verified results.").Bool()
|
||||
filterUnverified = cli.Flag("filter-unverified", "Only output first unverified result per chunk per detector if there are more than one results.").Bool()
|
||||
configFilename = cli.Flag("config", "Path to configuration file.").ExistingFile()
|
||||
cli = kingpin.New("TruffleHog", "TruffleHog is a tool for finding credentials.")
|
||||
cmd string
|
||||
debug = cli.Flag("debug", "Run in debug mode.").Bool()
|
||||
trace = cli.Flag("trace", "Run in trace mode.").Bool()
|
||||
profile = cli.Flag("profile", "Enables profiling and sets a pprof and fgprof server on :18066.").Bool()
|
||||
jsonOut = cli.Flag("json", "Output in JSON format.").Short('j').Bool()
|
||||
jsonLegacy = cli.Flag("json-legacy", "Use the pre-v3.0 JSON format. Only works with git, gitlab, and github sources.").Bool()
|
||||
gitHubActionsFormat = cli.Flag("github-actions", "Output in GitHub Actions format.").Bool()
|
||||
concurrency = cli.Flag("concurrency", "Number of concurrent workers.").Default(strconv.Itoa(runtime.NumCPU())).Int()
|
||||
noVerification = cli.Flag("no-verification", "Don't verify the results.").Bool()
|
||||
onlyVerified = cli.Flag("only-verified", "Only output verified results.").Bool()
|
||||
filterUnverified = cli.Flag("filter-unverified", "Only output first unverified result per chunk per detector if there are more than one results.").Bool()
|
||||
configFilename = cli.Flag("config", "Path to configuration file.").ExistingFile()
|
||||
// rules = cli.Flag("rules", "Path to file with custom rules.").String()
|
||||
printAvgDetectorTime = cli.Flag("print-avg-detector-time", "Print the average time spent on each detector.").Bool()
|
||||
noUpdate = cli.Flag("no-update", "Don't check for updates.").Bool()
|
||||
|
@ -441,6 +442,8 @@ func run(state overseer.State) {
|
|||
err = output.PrintLegacyJSON(ctx, &r)
|
||||
case *jsonOut:
|
||||
err = output.PrintJSON(&r)
|
||||
case *gitHubActionsFormat:
|
||||
err = output.PrintGitHubActionsOutput(&r)
|
||||
default:
|
||||
err = output.PrintPlainOutput(&r)
|
||||
}
|
||||
|
|
72
pkg/output/github_actions.go
Normal file
72
pkg/output/github_actions.go
Normal file
|
@ -0,0 +1,72 @@
|
|||
package output
|
||||
|
||||
import (
|
||||
"crypto/sha256"
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
|
||||
"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
|
||||
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
|
||||
)
|
||||
|
||||
var dedupeCache = make(map[string]struct{})
|
||||
|
||||
func PrintGitHubActionsOutput(r *detectors.ResultWithMetadata) error {
|
||||
out := gitHubActionsOutputFormat{
|
||||
DetectorType: r.Result.DetectorType.String(),
|
||||
DecoderType: r.Result.DecoderType.String(),
|
||||
Verified: r.Result.Verified,
|
||||
}
|
||||
|
||||
meta, err := structToMap(r.SourceMetadata.Data)
|
||||
if err != nil {
|
||||
return fmt.Errorf("could not marshal result: %w", err)
|
||||
}
|
||||
|
||||
for _, data := range meta {
|
||||
for k, v := range data {
|
||||
if k == "line" {
|
||||
if line, ok := v.(float64); ok {
|
||||
out.StartLine = int64(line)
|
||||
}
|
||||
}
|
||||
if k == "file" {
|
||||
if filename, ok := v.(string); ok {
|
||||
out.Filename = filename
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
verifiedStatus := "unverified"
|
||||
if out.Verified {
|
||||
verifiedStatus = "verified"
|
||||
}
|
||||
|
||||
key := fmt.Sprintf("%s:%s:%s:%s:%d", out.DecoderType, out.DetectorType, verifiedStatus, out.Filename, out.StartLine)
|
||||
h := sha256.New()
|
||||
h.Write([]byte(key))
|
||||
key = hex.EncodeToString(h.Sum(nil))
|
||||
if _, ok := dedupeCache[key]; ok {
|
||||
return nil
|
||||
}
|
||||
dedupeCache[key] = struct{}{}
|
||||
|
||||
message := fmt.Sprintf("Found %s %s result 🐷🔑\n", verifiedStatus, out.DetectorType)
|
||||
if r.Result.DecoderType != detectorspb.DecoderType_PLAIN {
|
||||
message = fmt.Sprintf("Found %s %s result with %s encoding 🐷🔑\n", verifiedStatus, out.DetectorType, out.DecoderType)
|
||||
}
|
||||
|
||||
fmt.Printf("::warning file=%s,line=%d,endLine=%d::%s",
|
||||
out.Filename, out.StartLine, out.StartLine, message)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
type gitHubActionsOutputFormat struct {
|
||||
DetectorType,
|
||||
DecoderType string
|
||||
Verified bool
|
||||
StartLine int64
|
||||
Filename string
|
||||
}
|
Loading…
Reference in a new issue