-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #12 from scalyr/add_secrets_scanning_workflow
Add secrets scanning workflow
- Loading branch information
Showing
1 changed file
with
72 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| name: TruffleHog Secrets Scan | ||
| on: | ||
| push: | ||
| branches: | ||
| - master | ||
| pull_request: | ||
| branches: | ||
| - master | ||
| schedule: | ||
| - cron: '0 4 * * *' | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| TruffleHog: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| # Special check which ensures that the clone performed above is not shallow. We need the | ||
| # complete git history for scanning to work correctly in all the situations. In some cases | ||
| # if a shallow clone is used, trufflehog won't not fail with an error, but it would simply | ||
| # not detect any files and that could be dangerous. | ||
| - name: Shallow repo check | ||
| run: | | ||
| if git rev-parse --is-shallow-repository | grep -q "true"; then | ||
| echo "Encountered a shallow repository, trufflehog may not work as expected!" | ||
| exit 1 | ||
| fi | ||
| - name: scan-pr | ||
| uses: trufflesecurity/trufflehog@main | ||
| if: ${{ github.event_name == 'pull_request' }} | ||
| with: | ||
| path: ./ | ||
| base: ${{ github.event.repository.default_branch }} | ||
| head: HEAD | ||
| extra_args: --debug --only-verified | ||
|
|
||
| - name: scan-push | ||
| uses: trufflesecurity/trufflehog@main | ||
| if: ${{ github.event_name == 'push' }} | ||
| with: | ||
| path: ./ | ||
| base: "" | ||
| head: ${{ github.ref_name }} | ||
| extra_args: --debug --only-verified | ||
|
|
||
| # As part of cron trigger we scan the whole repo directory. | ||
| # NOTE: Since trufflehog GHA is meant to be used in context of push / pr it can't be | ||
| # used dorectly to scan the whole repo directory. This may take a while, but it's good idea | ||
| # to run it on a daily basis. | ||
| - name: scan-cron | ||
| if: ${{ github.event_name == 'schedule' }} | ||
| run: | | ||
| docker run --rm -v "$PWD:/workdir" trufflesecurity/trufflehog:latest git \ | ||
| file:///workdir --fail --no-update --debug --only-verified | ||
| - name: Notify Slack on Failure | ||
| if: ${{ failure() && github.ref_name == 'master' }} | ||
| uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 | ||
| env: | ||
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | ||
| with: | ||
| status: ${{ job.status }} | ||
| steps: ${{ toJson(steps) }} | ||
| channel: '#eng-dataset-o11y' |