Skip to content

Commit

Permalink
feat(secret-scanning): Forward alerts to Panther (#142)
Browse files Browse the repository at this point in the history
* send failed result to panther

* rename variables

* remove unnecessary `<`
  • Loading branch information
Jeffreyhung authored Sep 26, 2024
1 parent cd530b6 commit 98ced25
Showing 1 changed file with 11 additions and 0 deletions.
11 changes: 11 additions & 0 deletions .github/workflows/secret-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,9 +54,20 @@ jobs:
chmod +x /usr/local/bin/trufflehog
- name: Run TruffleHog scan
id: scan
run: |
if [ -e .secret_scan_ignore ]; then
trufflehog git file://. --only-verified --github-actions --fail --exclude-paths=.secret_scan_ignore --exclude-detectors="datadogtoken"
else
trufflehog git file://. --only-verified --github-actions --fail --exclude-detectors="datadogtoken"
fi
- name: Send Alert to Panther
id: alert
if: steps.scan.outcome != 'success'
run: |
curl "${{vars.SECRET_SCAN_PANTHER_WEBHOOK_URL}}" \
--header "Authorization: Bearer ${{ secrets.SECRET_SCAN_PANTHER_WEBHOOK_HEADER }}" \
--data '{"event":"github_secret_scanning_failed", createdAt:"${{ github.event.pull_request.created_at }}", "repo":"${{ github.repository }}","pull_request":"https://github.com/${{ github.repository }}/pull/${{ github.event.pull_request.number }}"","actor":"${{ github.event.pull_request.user.login }}"}'
- name: Fail workflow if secret detected
if: steps.scan.outcome != 'success'
run: exit 1

0 comments on commit 98ced25

Please sign in to comment.