name: 'TruffleHog OSS' description: 'Scan Github Actions with TruffleHog.' author: Truffle Security Co. inputs: path: description: Repository path required: false default: "./" base: description: Start scanning from here (usually main branch). required: false default: '' head: description: Scan commits until here (usually dev branch). required: false extra_args: default: '' description: Extra args to be passed to the trufflehog cli. required: false version: default: 'latest' description: Scan with this trufflehog cli version. required: false branding: icon: "shield" color: "green" runs: using: "composite" steps: - shell: bash working-directory: ${{ inputs.path }} env: BASE: ${{ inputs.base }} HEAD: ${{ inputs.head }} ARGS: ${{ inputs.extra_args }} COMMITS: ${{ toJson(github.event.commits) }} VERSION: ${{ inputs.version }} run: | ########################################## ## ADVANCED USAGE ## ## Scan by BASE & HEAD user inputs ## ## If BASE == HEAD, exit with error ## ########################################## git status >/dev/null # make sure we are in a git repostiory if [ -n "$BASE" ] || [ -n "$HEAD" ]; then if [ -n "$BASE" ]; then base_commit=$(git rev-parse "$BASE" 2>/dev/null) || true else base_commit="" fi if [ -n "$HEAD" ]; then head_commit=$(git rev-parse "$HEAD" 2>/dev/null) || true else head_commit="" fi if [ "$base_commit" == "$head_commit" ] ; then echo "::error::BASE and HEAD commits are the same. TruffleHog won't scan anything. Please see documentation (https://github.com/trufflesecurity/trufflehog#octocat-trufflehog-github-action)." exit 1 fi ########################################## ## Scan commits based on event type ## ########################################## else if [ "${{ github.event_name }}" == "push" ]; then COMMIT_LENGTH=$(printenv COMMITS | jq length) if [ $COMMIT_LENGTH == "0" ]; then echo "No commits to scan" exit 0 fi HEAD=${{ github.event.after }} if [ ${{ github.event.before }} == "0000000000000000000000000000000000000000" ]; then BASE=$(git rev-parse $HEAD~$COMMIT_LENGTH) else BASE=${{ github.event.before }} fi elif [ "${{ github.event_name }}" == "workflow_dispatch" ] || [ "${{ github.event_name }}" == "schedule" ]; then BASE="" HEAD="" elif [ "${{ github.event_name }}" == "pull_request" ]; then BASE=${{github.event.pull_request.base.sha}} HEAD=${{github.event.pull_request.head.sha}} fi fi ########################################## ## Run TruffleHog ## ########################################## docker run --rm -v .:/tmp -w /tmp \ ghcr.io/trufflesecurity/trufflehog:${VERSION} \ git file:///tmp/ \ --since-commit \ ${BASE:-''} \ --branch \ ${HEAD:-''} \ --fail \ --no-update \ --github-actions \ ${ARGS:-''}