Have a github action to compare git-secrets and trufflehog without any configuration update

[commjoen]

Create a multistage pipelien in which we check the performance of

• git-secrets (https://github.com/awslabs/git-secrets)
• git-leaks (https://github.com/zricethezav/gitleaks) - https://github.com/gitleaks/gitleaks-action (only commercial? will have to ask for a license key...)
  • request license key
  • do scanning
  • capture result in count
• trufflehog (https://github.com/trufflesecurity/trufflehog) - https://github.com/marketplace/actions/trufflehog-oss
  • do scanning (see https://github.com/OWASP/wrongsecrets/actions/workflows/scanners.yml, will have to update it with more scanners and capturing)
  • capture result in count
• trufflehog3
• Whispers (https://github.com/Skyscanner/whispers) - whispers github action Skyscanner/whispers#72
• Github secret scanning (https://docs.github.com/en/developers/overview/secret-scanning-partner-program)
• gittyleaks (https://github.com/kootenpv/gittyleaks)
• git-all-secretss (https://github.com/anshumanbh/git-all-secrets)
• detect-secrets (https://github.com/Yelp/detect-secrets)
• Java Sast tool?

for their detection out of the box.

[commjoen]

There is no action yet for git-secrets: see awslabs/git-secrets#214

[swanasingh]

Hello @commjoen is this issue to create multistage pipelien in which we check the performance of all the security tools integrated or to have a github action to compare git-secrets and trufflehog ?

[commjoen]

yes @swanasingh and also the other tools listed in the issue :) , but indeed. the idea would be to create a multi stage pipeline that run on this project which then counts the number of found secrets and compares this per tool as the output like a "performance benchmark"