mirror of
https://github.com/trufflesecurity/trufflehog.git
synced 2024-11-10 07:04:24 +00:00
f122b295bf
This change executes all shell commands relative to `path`, and makes sure that `git` is always working by running `git status` first. If the `path` is not a git repository, `git status` should give a clear error message about this.
99 lines
3.3 KiB
YAML
99 lines
3.3 KiB
YAML
name: 'TruffleHog OSS'
|
|
description: 'Scan Github Actions with TruffleHog.'
|
|
author: Truffle Security Co. <support@trufflesec.com>
|
|
|
|
inputs:
|
|
path:
|
|
description: Repository path
|
|
required: false
|
|
default: "./"
|
|
base:
|
|
description: Start scanning from here (usually main branch).
|
|
required: false
|
|
default: ''
|
|
head:
|
|
description: Scan commits until here (usually dev branch).
|
|
required: false
|
|
extra_args:
|
|
default: ''
|
|
description: Extra args to be passed to the trufflehog cli.
|
|
required: false
|
|
version:
|
|
default: 'latest'
|
|
description: Scan with this trufflehog cli version.
|
|
required: false
|
|
branding:
|
|
icon: "shield"
|
|
color: "green"
|
|
|
|
runs:
|
|
using: "composite"
|
|
steps:
|
|
- shell: bash
|
|
working-directory: ${{ inputs.path }}
|
|
env:
|
|
BASE: ${{ inputs.base }}
|
|
HEAD: ${{ inputs.head }}
|
|
ARGS: ${{ inputs.extra_args }}
|
|
COMMITS: ${{ toJson(github.event.commits) }}
|
|
VERSION: ${{ inputs.version }}
|
|
run: |
|
|
##########################################
|
|
## ADVANCED USAGE ##
|
|
## Scan by BASE & HEAD user inputs ##
|
|
## If BASE == HEAD, exit with error ##
|
|
##########################################
|
|
git status >/dev/null # make sure we are in a git repostiory
|
|
if [ -n "$BASE" ] || [ -n "$HEAD" ]; then
|
|
if [ -n "$BASE" ]; then
|
|
base_commit=$(git rev-parse "$BASE" 2>/dev/null) || true
|
|
else
|
|
base_commit=""
|
|
fi
|
|
if [ -n "$HEAD" ]; then
|
|
head_commit=$(git rev-parse "$HEAD" 2>/dev/null) || true
|
|
else
|
|
head_commit=""
|
|
fi
|
|
if [ "$base_commit" == "$head_commit" ] ; then
|
|
echo "::error::BASE and HEAD commits are the same. TruffleHog won't scan anything. Please see documentation (https://github.com/trufflesecurity/trufflehog#octocat-trufflehog-github-action)."
|
|
exit 1
|
|
fi
|
|
##########################################
|
|
## Scan commits based on event type ##
|
|
##########################################
|
|
else
|
|
if [ "${{ github.event_name }}" == "push" ]; then
|
|
COMMIT_LENGTH=$(printenv COMMITS | jq length)
|
|
if [ $COMMIT_LENGTH == "0" ]; then
|
|
echo "No commits to scan"
|
|
exit 0
|
|
fi
|
|
HEAD=${{ github.event.after }}
|
|
if [ ${{ github.event.before }} == "0000000000000000000000000000000000000000" ]; then
|
|
BASE=$(git rev-parse $HEAD~$COMMIT_LENGTH)
|
|
else
|
|
BASE=${{ github.event.before }}
|
|
fi
|
|
elif [ "${{ github.event_name }}" == "workflow_dispatch" ] || [ "${{ github.event_name }}" == "schedule" ]; then
|
|
BASE=""
|
|
HEAD=""
|
|
elif [ "${{ github.event_name }}" == "pull_request" ]; then
|
|
BASE=${{github.event.pull_request.base.sha}}
|
|
HEAD=${{github.event.pull_request.head.sha}}
|
|
fi
|
|
fi
|
|
##########################################
|
|
## Run TruffleHog ##
|
|
##########################################
|
|
docker run --rm -v .:/tmp -w /tmp \
|
|
ghcr.io/trufflesecurity/trufflehog:${VERSION} \
|
|
git file:///tmp/ \
|
|
--since-commit \
|
|
${BASE:-''} \
|
|
--branch \
|
|
${HEAD:-''} \
|
|
--fail \
|
|
--no-update \
|
|
--github-actions \
|
|
${ARGS:-''}
|