Skip to content
This repository has been archived by the owner on May 20, 2024. It is now read-only.

TRUST-1107 [skip ci] #7

TRUST-1107 [skip ci]

TRUST-1107 [skip ci] #7

Workflow file for this run

name: Secrets Scanner
on: pull_request
permissions:
contents: read
pull-requests: write
jobs:
TruffleHog:
runs-on: ubuntu-latest
if: ${{ github.actor != 'dependabot[bot]' }}
container:
image: trufflesecurity/trufflehog:3.63.2
env:
BASE_REF: ${{ github.base_ref }}
HEAD_REF: ${{ github.head_ref }}
steps:
- name: Checkout code
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
with:
fetch-depth: 0
- name: Get first commit
id: getFirstCommit
shell: bash
run: |
REPO_NAME=$(echo "$GITHUB_REPOSITORY" | cut -d "/" -f 2)
git config --global --add safe.directory /__w/"$REPO_NAME"/"$REPO_NAME"
FIRST_COMMIT=$(git rev-parse origin/"$BASE_REF")
echo "FIRST_COMMIT=$FIRST_COMMIT" >> $GITHUB_ENV
- name: Trufflehog
id: trufflehog
run: |
TRUFFLEHOG_OUTPUT=""
capturefile=false
captureline=false
for finding in $(trufflehog git file://. --since-commit $FIRST_COMMIT --branch $HEAD_REF --only-verified); do
if [[ $capturefile == true ]] && [[ -z "$TRUFFLEHOG_OUTPUT" ]]; then
TRUFFLEHOG_OUTPUT="> - $finding"
elif [[ $capturefile == true ]] && [[ -n "$TRUFFLEHOG_OUTPUT" ]]; then
TRUFFLEHOG_OUTPUT="$TRUFFLEHOG_OUTPUT\n> - $finding"
fi
if [[ $captureline == true ]]; then
TRUFFLEHOG_OUTPUT="$TRUFFLEHOG_OUTPUT\#$finding"
fi
capturefile=false
captureline=false
if [[ "$finding" == "File:"* ]]; then
capturefile=true
elif [[ "$finding" == "Line:"* ]]; then
captureline=true
fi
done
echo "TRUFFLEHOG_OUTPUT=$TRUFFLEHOG_OUTPUT" >> $GITHUB_ENV
- name: Comment on PR
if: env.TRUFFLEHOG_OUTPUT != ''
id: comment
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
with:
github-token: ${{ secrets.BOBBY_TABLES_PAT }}
script: |
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body:`> [!WARNING]
\*\*TruffleHog has detected verified secrets in the following files:\*\*
\>
${{ env.TRUFFLEHOG_OUTPUT }}
\>
\> _This pull request will remain blocked to prevent secrets from being merged in. Please contact @ncino/product-security or join [#help-product-security](https://ncino.slack.com/archives/C02G4R09NUU) for assistance._`
})
- name: Send output to Slack if not empty
if: env.TRUFFLEHOG_OUTPUT != ''
id: slack
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117
with:
payload: |
{
"text": "Trufflehog Alert: \n${{ github.event.pull_request.html_url || github.event.head_commit.url }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "Trufflehog Alert: ${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
}
}
]
}
env:
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
SLACK_WEBHOOK_URL: ${{ secrets.TRUFFLEHOG_SLACK_WEBHOOK }}
- name: Fail on Trufflehog findings
if: env.TRUFFLEHOG_OUTPUT != ''
run: exit 1