Skip to content

Merge pull request #1595 from GSA/1590-git-hooks-bugs #131

Merge pull request #1595 from GSA/1590-git-hooks-bugs

Merge pull request #1595 from GSA/1590-git-hooks-bugs #131

name: TruffleHog Scan
on:
workflow_call:
push:
branches:
- main
- dev
pull_request:
branches:
- main
- dev
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install basic dependancies
run: ./scripts/pipeline/deb-basic-deps.sh
- name: Install AWSCLI
run: ./scripts/pipeline/awscli-install.sh
- name: Install Cloudfoundry CLI
run: ./scripts/pipeline/deb-cf-install.sh
- name: Install GitHub CLI
run: |
sudo apt-get update
sudo apt-get install -y gh
- name: Determine the branch name
id: determine-branch
run: |
if [ "${{ github.event_name }}" == "pull_request" ]; then
echo "BRANCH=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
else
echo "BRANCH=${{ github.ref_name }}" >> $GITHUB_ENV
fi
- name: Authenticate GitHub CLI
env:
GITHUB_TOKEN: ${{ secrets.ADD_TO_PROJECT_PAT }}
run: |
gh auth setup-git
- name: Install TruffleHog3
run: |
pip install trufflehog3
- name: TruffleHog3 Scan
id: scan
run: |
echo "Scanning branch: $BRANCH"
trufflehog3 --branch $BRANCH --no-entropy --severity MEDIUM -vv -c .trufflehog3.yml -r rules.yml --format json --output truffleHogResults.json || true
trufflehog3 -R truffleHogResults.json --output truffleHogReport.html
- name: Cloud.gov login
env:
CF_USER: "${{ secrets.CF_USER }}"
CF_PASSWORD: "${{ secrets.CF_PASSWORD }}"
CF_ORG: "${{ secrets.CF_ORG }}"
PROJECT: "${{ secrets.PROJECT }}"
run: |
source ./scripts/pipeline/cloud-gov-login.sh
- name: Upload Trufflehog Results
id: check_file
shell: bash
env:
CF_USER: "${{ secrets.CF_USER }}"
CF_PASSWORD: "${{ secrets.CF_PASSWORD }}"
CF_ORG: "${{ secrets.CF_ORG }}"
PROJECT: "${{ secrets.PROJECT }}"
DATABASE_BACKUP_BASTION_NAME: "${{ secrets.DATABASE_BACKUP_BASTION_NAME }}"
run: |
export TIMESTAMP=$(date --utc +%FT%TZ | tr ':', '-')
mv truffleHogResults.json truffleHogResults-${TIMESTAMP}.json
mv truffleHogReport.html truffleHogReport-${TIMESTAMP}.html
source ./scripts/pipeline/s3-thog-upload.sh
CONTENT=$(jq 'length' truffleHogResults-${TIMESTAMP}.json)
if [ "$CONTENT" -eq 0 ]; then
echo "No content found in JSON. Setting Skip to true."
echo "::set-output name=skip::true"
exit 0
else
echo "Content found in JSON. Proceeding."
echo "::set-output name=skip::false"
fi
- name: If findings found, create issue
if: steps.check_file.outputs.skip == 'false'
env:
GITHUB_TOKEN: ${{ secrets.ADD_TO_PROJECT_PAT }}
run: |
echo "Secrets found. Creating GitHub issue."
gh issue create --title "CREDS FOUND: TruffleHog Scan Results" --body "Please see backup s3 for TruffleHog Results" --label "bug,security" --assignee "@me"
- name: Fail the job if any secrets are found
if: steps.check_file.outputs.skip == 'false'
run: exit 1