test: enabling secrets detection

.github/workflows/01-pipeline-scan.yml

@@ -1,19 +1,24 @@
 name: Pipeline Security Scan
 
 on:
-  push:
-    branches: [main, develop]
-  pull_request:
-    branches: [main]
   workflow_call:
+    outputs:
+      scan-result:
+        description: "Pipeline scan result"
+        value: ${{ jobs.pipeline-scan.outputs.result }}
 
 jobs:
-  pipeline-scan:
-    name: Analyze Github Workflows
+  # 🚧 REPLACE THIS ENTIRE 'jobs:' SECTION WITH WORKSHOP CONTENT! 🚧
+  # Copy from: workshop/{scan-type}/workflow.yml
+
+  workshop-placeholder:
+    name: "🚧 Workshop Exercise Placeholder"
     runs-on: ubuntu-latest
+    outputs:
+      result: ${{ steps.placeholder.outputs.result }}
     steps:
-      - name: to_remove
-        id: to_remove
+      - name: Placeholder
+        id: placeholder
         run: |
-          echo "Copy here the workflow of the pipeline scan tool you want to use.
-          Inside workshop/pipeline_scan/{tool}/workflow.yml"
+          echo "Replace this job with content from workshop folder!"
+          echo "result=workshop-placeholder" >> $GITHUB_OUTPUT

.github/workflows/02-code-analysis.yml

@@ -8,12 +8,17 @@ on:
         value: ${{ jobs.dependency_check.outputs.result }}
 
 jobs:
-  sca-scan:
-    name: SCA Scan
+  # 🚧 REPLACE THIS ENTIRE 'jobs:' SECTION WITH WORKSHOP CONTENT! 🚧
+  # Copy from: workshop/{scan-type}/workflow.yml
+
+  workshop-placeholder:
+    name: "🚧 Workshop Exercise Placeholder"
     runs-on: ubuntu-latest
+    outputs:
+      result: ${{ steps.placeholder.outputs.result }}
     steps:
-      - name: to_remove
-        id: to_remove
+      - name: Placeholder
+        id: placeholder
         run: |
-          echo "Copy here the workflow of the SCA scan tool you want to use.
-          Inside workshop/code_scan/{tool}/workflow.yml"
+          echo "Replace this job with content from workshop folder!"
+          echo "result=workshop-placeholder" >> $GITHUB_OUTPUT

.github/workflows/03-secrets-detection.yml

@@ -8,12 +8,17 @@ on:
         value: ${{ jobs.secrets-scan.outputs.result }}
 
 jobs:
-  secrets-scan:
-    name: Secrets Detection Scan
+  # 🚧 REPLACE THIS ENTIRE 'jobs:' SECTION WITH WORKSHOP CONTENT! 🚧
+  # Copy from: workshop/{scan-type}/workflow.yml
+
+  workshop-placeholder:
+    name: "🚧 Workshop Exercise Placeholder"
     runs-on: ubuntu-latest
+    outputs:
+      result: ${{ steps.placeholder.outputs.result }}
     steps:
-      - name: to_remove
-        id: to_remove
+      - name: Placeholder
+        id: placeholder
         run: |
-          echo "Copy here the workflow of the secrets scan tool you want to use.
-          Inside workshop/secrets_scan/{tool}/workflow.yml"
+          echo "Replace this job with content from workshop folder!"
+          echo "result=workshop-placeholder" >> $GITHUB_OUTPUT

.github/workflows/05-container-scan.yml

@@ -13,12 +13,17 @@ on:
         value: ${{ jobs.container-scan.outputs.result }}
 
 jobs:
-  container-scan:
-    name: Container Vulnerability Scan
+  # 🚧 REPLACE THIS ENTIRE 'jobs:' SECTION WITH WORKSHOP CONTENT! 🚧
+  # Copy from: workshop/{scan-type}/workflow.yml
+
+  workshop-placeholder:
+    name: "🚧 Workshop Exercise Placeholder"
     runs-on: ubuntu-latest
+    outputs:
+      result: ${{ steps.placeholder.outputs.result }}
     steps:
-      - name: to_remove
-        id: to_remove
+      - name: Placeholder
+        id: placeholder
         run: |
-          echo "Copy here the workflow of the container scan tool you want to use.
-          Inside workshop/container_scan/{tool}/workflow.yml"
+          echo "Replace this job with content from workshop folder!"
+          echo "result=workshop-placeholder" >> $GITHUB_OUTPUT

.github/workflows/06-iac-scan.yml

@@ -8,12 +8,17 @@ on:
         value: ${{ jobs.iac-scan.outputs.result }}
 
 jobs:
-  iac-scan:
-    name: Infrastructure Security Scan
+  # 🚧 REPLACE THIS ENTIRE 'jobs:' SECTION WITH WORKSHOP CONTENT! 🚧
+  # Copy from: workshop/{scan-type}/workflow.yml
+
+  workshop-placeholder:
+    name: "🚧 Workshop Exercise Placeholder"
     runs-on: ubuntu-latest
+    outputs:
+      result: ${{ steps.placeholder.outputs.result }}
     steps:
-      - name: to_remove
-        id: to_remove
+      - name: Placeholder
+        id: placeholder
         run: |
-          echo "Copy here the workflow of the IaC scan tool you want to use.
-          Inside workshop/iac_scan/{tool}/workflow.yml"
+          echo "Replace this job with content from workshop folder!"
+          echo "result=workshop-placeholder" >> $GITHUB_OUTPUT

.github/workflows/09-runtime-infra-scan.yml

@@ -20,12 +20,17 @@ on:
         value: ${{ jobs.load-test.outputs.result }}
 
 jobs:
-  runtime-infra-scan:
-    name: Runtime Infrastructure Scan
+  # 🚧 REPLACE THIS ENTIRE 'jobs:' SECTION WITH WORKSHOP CONTENT! 🚧
+  # Copy from: workshop/{scan-type}/workflow.yml
+
+  workshop-placeholder:
+    name: "🚧 Workshop Exercise Placeholder"
     runs-on: ubuntu-latest
+    outputs:
+      result: ${{ steps.placeholder.outputs.result }}
     steps:
-      - name: to_remove
-        id: to_remove
+      - name: Placeholder
+        id: placeholder
         run: |
-          echo "Copy here the workflow of the runtime infrastructure scan tool you want to use.
-          Inside workshop/runtime_infra_scan/{tool}/workflow.yml"
+          echo "Replace this job with content from workshop folder!"
+          echo "result=workshop-placeholder" >> $GITHUB_OUTPUT

.github/workflows/pipeline-orchestrator.yml

@@ -1,12 +1,16 @@
 name: Pipeline Orchestrator
 
 on:
-  push:
-    branches: [main, develop]
   pull_request:
     branches: [main]
   workflow_dispatch:
 
+permissions:
+  contents: read
+  id-token: write
+  issues: write
+  pull-requests: write
+
 jobs:
   pipeline-scan:
     uses: ./.github/workflows/01-pipeline-scan.yml
@@ -18,6 +22,11 @@ jobs:
   secrets-detection:
     needs: pipeline-scan
     uses: ./.github/workflows/03-secrets-detection.yml
+    permissions:
+      contents: read
+      id-token: write
+      issues: write
+      pull-requests: write
 
   iac-scan:
     needs: pipeline-scan

.gitignore

@@ -0,0 +1,3 @@
+.DS_Store
+.vscode
+.env

workshop/pipeline_scan/claws/workflow.yml

@@ -6,72 +6,81 @@
 #
 # TO USE THIS JOB:
 # 1. Copy this entire job definition into .github/workflows/01-pipeline-scan.yml
-# 2. Place it under the "jobs:" section
+# 2. Replace the current jobs: definition with this one 
 # 3. Ensure you have a claws-config.yml file in workshop/pipeline_scan/
 # 4. The job will automatically scan all workflows in .github/workflows/
 # =============================================================================
 
-pipeline-scan-claws:
-  name: Analyze Github Workflows
-  runs-on: ubuntu-latest
-  steps:
-    # Set up Ruby environment (required for Claws)
-    - name: Set Up Ruby
-      uses: ruby/setup-ruby@d8d83c3960843afb664e821fed6be52f37da5267 # v1.231.0
-      with:
-        ruby-version: "3.3"
+jobs:
+  pipeline-scan:
+    name: Analyze Github Workflows
+    runs-on: ubuntu-latest
+    outputs:
+      result: ${{ steps.claws.outputs.result }}
+    steps:
+      # Set up Ruby environment (required for Claws)
+      - name: Set Up Ruby
+        uses: ruby/setup-ruby@d8d83c3960843afb664e821fed6be52f37da5267 # v1.231.0
+        with:
+          ruby-version: "3.3"
 
-    # Checkout the repository with full history
-    - uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
+      # Checkout the repository with full history
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
-    # Copy the Claws configuration file to temporary location
-    - name: Set Up Claws Config
-      run: |
-        cp workshop/pipeline_scan/claws-config.yml /tmp/claws-config.yml
+      # Copy the Claws configuration file to temporary location
+      - name: Set Up Claws Config
+        run: |
+          cp workshop/pipeline_scan/claws-config.yml /tmp/claws-config.yml
 
-    # Install Shellcheck (dependency for Claws)
-    - name: Set Up Shellcheck
-      run: |
-        sudo apt-get update
-        sudo apt-get install -y shellcheck
+      # Install Shellcheck (dependency for Claws)
+      - name: Set Up Shellcheck
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y shellcheck
 
-    # Install the Claws security scanner
-    - name: Set Up Claws
-      run: |
-        gem install claws-scan -v 0.7.5
+      # Install the Claws security scanner
+      - name: Set Up Claws
+        run: |
+          gem install claws-scan -v 0.7.5
 
-    # Run security analysis on all workflow files
-    - name: Analyze Workflows
-      run: |
-        #!/bin/bash
+      # Run security analysis on all workflow files
+      - name: Analyze Workflows
+        id: claws
+        run: |
+          #!/bin/bash
 
-        echo "🔍 Starting workflow security analysis..."
+          echo "🔍 Starting workflow security analysis..."
 
-        # Find all workflow files in .github/workflows directory
-        workflow_files=$(find .github/workflows -type f)
+          # Find all workflow files in .github/workflows directory
+          workflow_files=$(find .github/workflows -type f)
 
-        # Check if any workflow files exist
-        if [[ -z "$workflow_files" ]]; then
-          echo "⚠️  No workflow files found in .github/workflows"
-          echo "   Make sure your workflows are in the correct directory"
-          exit 0
-        fi
+          # Check if any workflow files exist
+          if [[ -z "$workflow_files" ]]; then
+            echo "⚠️  No workflow files found in .github/workflows"
+            echo "   Make sure your workflows are in the correct directory"
+            exit 0
+          fi
 
-        # Prepare command flags for each workflow file
-        flags=()
-        echo "📁 Found workflow files:"
+          # Prepare command flags for each workflow file
+          flags=()
+          echo "📁 Found workflow files:"
 
-        while IFS= read -r file; do
-          echo "   - $file"
-          flags+=("-t" "$file")
-        done <<< "$workflow_files"
+          while IFS= read -r file; do
+            echo "   - $file"
+            flags+=("-t" "$file")
+          done <<< "$workflow_files"
 
-        echo ""
-        echo "🚀 Running Claws security analysis..."
+          echo ""
+          echo "🚀 Running Claws security analysis..."
 
-        # Execute the security analysis
-        analyze -f github -c /tmp/claws-config.yml "${flags[@]}"
-
-        echo "✅ Analysis complete!"
+          # Execute the security analysis and capture result
+          if analyze -f github -c /tmp/claws-config.yml "${flags[@]}"; then
+            echo "result=success" >> $GITHUB_OUTPUT
+            echo "✅ Analysis complete! No security issues detected"
+          else
+            echo "result=failure" >> $GITHUB_OUTPUT
+            echo "❌ Security issues detected in workflows"
+            exit 1
+          fi

workshop/secrets_scan/README.md

@@ -33,13 +33,9 @@ There are other types of secrets or sensitive data that may not be covered by th
 - **AWS Account IDs** - AWS account IDs (or other cloud provider identifiers) can be used to enumerate resources and help attackers to map the attack surface.
   - There's a lot of discussion about if this should be considered a secret or not. #TODO: Elaborate on this, and find references.
 
-## Tools Used in This Module #TODO: Update this section
+## Tools Used in This Module
 
 - **TruffleHog** - Git history secrets scanner
-- **GitLeaks** - SAST-focused secrets detection
-- **detect-secrets** - Yelp's secrets detection library
-- **GitHub Secret Scanning** - Built-in GitHub security feature
-- **HashiCorp Vault** - Secrets management solution
 
 ## Learning Objectives
 

workshop/secrets_scan/trufflehog/workflow.yml

@@ -0,0 +1,44 @@
+
+# =============================================================================
+# TRUFFLEHOG SECRETS SCAN JOB
+# =============================================================================
+#
+# TruffleHog is a secrets detection tool for finding credentials in code
+# Repository: https://github.com/trufflesecurity/trufflehog
+#
+# TO USE THIS JOB:
+# 1. Copy this entire job definition into .github/workflows/03-secrets-detection.yml
+# 2. Replace the current jobs: definition with this one 
+# 3. The job will automatically scan the entire repository for secrets
+# 4. The scan will fail if any secrets are found
+# =============================================================================
+
+jobs:
+  secrets-scan:
+    name: Secrets Detection Scan
+    runs-on: ubuntu-latest
+    outputs:
+      result: ${{ steps.trufflehog.outputs.result }}
+    steps:
+      # Checkout the repository with full history
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      # Install and run TruffleHog secrets scanner
+      - name: TruffleHog OSS
+        id: trufflehog
+        run: |
+          # Install TruffleHog
+          curl -sSfL https://github.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
+
+          # Run filesystem scan and capture result
+          if trufflehog filesystem . --no-verification --filter-entropy=1.0 --results="verified,unknown,unverified,filtered_unverified" --fail; then
+            echo "result=success" >> $GITHUB_OUTPUT
+            echo "✅ No secrets detected"
+          else
+            echo "result=failure" >> $GITHUB_OUTPUT
+            echo "❌ Secrets detected in repository"
+            exit 1
+          fi