1542 benefit finder trait #99

Summary
Jobs
- scan
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/thog_scan_commit.yml at 904f892

	name: TruffleHog Scan

	on:
	workflow_call:
	push:
	branches:
	- main
	- dev
	pull_request:

	jobs:
	scan:
	runs-on: ubuntu-latest

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Install basic dependancies
	run: ./scripts/pipeline/deb-basic-deps.sh

	- name: Install AWSCLI
	run: ./scripts/pipeline/awscli-install.sh

	- name: Install Cloudfoundry CLI
	run: ./scripts/pipeline/deb-cf-install.sh

	- name: Install GitHub CLI
	run: \|
	sudo apt-get update
	sudo apt-get install -y gh

	- name: Set branch name
	run: echo "BRANCH=$(echo $GITHUB_REF \| cut -d'/' -f 3)" >> $GITHUB_ENV

	- name: Authenticate GitHub CLI
	env:
	GITHUB_TOKEN: ${{ secrets.ADD_TO_PROJECT_PAT }}
	run: \|
	gh auth setup-git

	- name: Install TruffleHog3
	run: \|
	pip install trufflehog3

	- name: TruffleHog3 Scan
	id: scan
	run: \|
	BRANCH_NAME=${GITHUB_REF#refs/heads/}
	ACTOR=${{ github.actor }}
	echo "Scanning branch: $BRANCH_NAME"
	echo "branch=$BRANCH_NAME" >> $GITHUB_OUTPUT
	echo "emoji=:exclamation:" >> $GITHUB_OUTPUT
	echo "actor=$ACTOR" >> $GITHUB_OUTPUT
	pwd
	ls -al
	trufflehog3 --branch $BRANCH_NAME --no-entropy --severity MEDIUM -vv -c .trufflehog3.yml -r rules.yml --format json --output truffleHogResults.json \|\| true
	trufflehog3 -R truffleHogResults.json --output truffleHogReport.html

	- name: Check TruffleHog Results
	id: check_results
	run: \|
	if [ -f truffleHogResults.json ]; then
	echo "file_exists=true" >> $GITHUB_ENV
	else
	echo "file_exists=false" >> $GITHUB_ENV
	fi

	- name: Cloud.gov login
	env:
	CF_USER: "${{ secrets.CF_USER }}"
	CF_PASSWORD: "${{ secrets.CF_PASSWORD }}"
	CF_ORG: "${{ secrets.CF_ORG }}"
	PROJECT: "${{ secrets.PROJECT }}"
	run: \|
	source ./scripts/pipeline/cloud-gov-login.sh

	- name: Upload Trufflehog Results
	if: always() && env.file_exists == 'true'
	shell: bash
	env:
	CF_USER: "${{ secrets.CF_USER }}"
	CF_PASSWORD: "${{ secrets.CF_PASSWORD }}"
	CF_ORG: "${{ secrets.CF_ORG }}"
	PROJECT: "${{ secrets.PROJECT }}"
	DATABASE_BACKUP_BASTION_NAME: "${{ secrets.DATABASE_BACKUP_BASTION_NAME }}"
	run: \|
	export TIMESTAMP=$(date --utc +%FT%TZ \| tr ':', '-')
	mv truffleHogResults.json truffleHogResults-${TIMESTAMP}.json
	mv truffleHogReport.html truffleHogReport-${TIMESTAMP}.html
	source ./scripts/pipeline/s3-thog-upload.sh

	- name: Check for findings and create issue
	if: failure() && env.file_exists == 'true'
	env:
	GITHUB_TOKEN: ${{ secrets.ADD_TO_PROJECT_PAT }}
	run: \|
	if jq -e '.results \| length > 0' truffleHogResults.json > /dev/null; then
	echo "Secrets found. Creating GitHub issue."
	gh issue create --title "TruffleHog Scan Results" --body "$(cat truffleHogReport.txt)" --label "bug,security" --assignee "@me"
	exit 1
	else
	echo "No secrets found or no results file."
	fi

	- name: Fail the job if any secrets are found
	if: steps.trufflehog_scan.outcome == 'failure'
	run: exit 1

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

1542 benefit finder trait #99

Workflow file

1542 benefit finder trait #99

Jobs

Run details

Workflow file for this run