This repository has been archived by the owner on May 21, 2024. It is now read-only.
TRUST-1107 [skip ci] #7
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secrets Scanner | |
| on: pull_request | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| jobs: | |
| TruffleHog: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.actor != 'dependabot[bot]' }} | |
| container: | |
| image: trufflesecurity/trufflehog:3.63.2 | |
| env: | |
| BASE_REF: ${{ github.base_ref }} | |
| HEAD_REF: ${{ github.head_ref }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get first commit | |
| id: getFirstCommit | |
| shell: bash | |
| run: | | |
| REPO_NAME=$(echo "$GITHUB_REPOSITORY" | cut -d "/" -f 2) | |
| git config --global --add safe.directory /__w/"$REPO_NAME"/"$REPO_NAME" | |
| FIRST_COMMIT=$(git rev-parse origin/"$BASE_REF") | |
| echo "FIRST_COMMIT=$FIRST_COMMIT" >> $GITHUB_ENV | |
| - name: Trufflehog | |
| id: trufflehog | |
| run: | | |
| TRUFFLEHOG_OUTPUT="" | |
| capturefile=false | |
| captureline=false | |
| for finding in $(trufflehog git file://. --since-commit $FIRST_COMMIT --branch $HEAD_REF --only-verified); do | |
| if [[ $capturefile == true ]] && [[ -z "$TRUFFLEHOG_OUTPUT" ]]; then | |
| TRUFFLEHOG_OUTPUT="> - $finding" | |
| elif [[ $capturefile == true ]] && [[ -n "$TRUFFLEHOG_OUTPUT" ]]; then | |
| TRUFFLEHOG_OUTPUT="$TRUFFLEHOG_OUTPUT\n> - $finding" | |
| fi | |
| if [[ $captureline == true ]]; then | |
| TRUFFLEHOG_OUTPUT="$TRUFFLEHOG_OUTPUT\#$finding" | |
| fi | |
| capturefile=false | |
| captureline=false | |
| if [[ "$finding" == "File:"* ]]; then | |
| capturefile=true | |
| elif [[ "$finding" == "Line:"* ]]; then | |
| captureline=true | |
| fi | |
| done | |
| echo "TRUFFLEHOG_OUTPUT=$TRUFFLEHOG_OUTPUT" >> $GITHUB_ENV | |
| - name: Comment on PR | |
| if: env.TRUFFLEHOG_OUTPUT != '' | |
| id: comment | |
| uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 | |
| with: | |
| github-token: ${{ secrets.BOBBY_TABLES_PAT }} | |
| script: | | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body:`> [!WARNING] | |
| \*\*TruffleHog has detected verified secrets in the following files:\*\* | |
| \> | |
| ${{ env.TRUFFLEHOG_OUTPUT }} | |
| \> | |
| \> _This pull request will remain blocked to prevent secrets from being merged in. Please contact @ncino/product-security or join [#help-product-security](https://ncino.slack.com/archives/C02G4R09NUU) for assistance._` | |
| }) | |
| - name: Send output to Slack if not empty | |
| if: env.TRUFFLEHOG_OUTPUT != '' | |
| id: slack | |
| uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 | |
| with: | |
| payload: | | |
| { | |
| "text": "Trufflehog Alert: \n${{ github.event.pull_request.html_url || github.event.head_commit.url }}", | |
| "blocks": [ | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "Trufflehog Alert: ${{ github.event.pull_request.html_url || github.event.head_commit.url }}" | |
| } | |
| } | |
| ] | |
| } | |
| env: | |
| SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |
| SLACK_WEBHOOK_URL: ${{ secrets.TRUFFLEHOG_SLACK_WEBHOOK }} | |
| - name: Fail on Trufflehog findings | |
| if: env.TRUFFLEHOG_OUTPUT != '' | |
| run: exit 1 |