Skip to content

edplato/trufflehog-actions-scan

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

42 Commits

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

action.yml

action.yml

 
 

entrypoint.sh

entrypoint.sh

 
 

regexes.json

regexes.json

 
 

Repository files navigation

Trufflehog Actions Scan 🐽🔑

Scan recent commits in repository for secrets with basic trufflehog defaults in place for easy setup.

This action is intended as a Continuous Integration secret scan in an already "clean" repository. The default commit scan depth is the last 50 commits and can be adjusted using Custom Arguments (see below).

It is recommended to run a basic trufflehog scan on your entire repository prior to relying on this CI solution (Note: this can be done manually from the command line or by using this action with custom options "--regex --entropy=False").

Usage

workflow "Detect Secrets" {
  on = "push"
  resolves = ["edplato/trufflehog-actions-scan"]
}

action "edplato/trufflehog-actions-scan" {
  uses = "edplato/trufflehog-actions-scan@master"
}

Default trufflehog options for this tool include:

  • regex : Enable high signal regex checks

  • entropy disabled: Disabled entropy checks

  • max depth is 50: The max commit depth to go back when searching for secrets

For custom regex rules:

  • rules: Uses custom regexes.json
    • Note: this is similar to the default trufflehog version, however this regexes.json will catch some additional API keys including any key Encapsulation Boundary that ends in PRIVATE KEY----- or PRIVATE KEY BLOCK-----.

Edit your corresponding actions yml file or create a new one.

Required Actions

trufflehog-actions-scan now uses actions/checkout@v2. Using a previous version may cause issues with future support of this action.

With actions/checkout@v2 make sure to include fetch-depth: 0 as shown below when checking out the repository as it will make the entire git commit history available to be scanned. Alternatively, ensure the value for fetch-depth is greater than the max_depth flag used by trufflehog to ensure that trufflehog runs at your desired commit history depth. ref: ${{ github.head_ref }} is necessary for pull request workflow trigger.

Basic

steps:
- uses: actions/checkout@v2
  with:
    fetch-depth: 0
    ref: ${{ github.head_ref }} // necessary for pull request workflow trigger
- name: trufflehog-actions-scan
  uses: edplato/trufflehog-actions-scan@master

Custom Arguments

steps:
- uses: actions/checkout@v2
  with:
    fetch-depth: 0
    ref: ${{ github.head_ref }} // necessary for pull request workflow trigger
- name: trufflehog-actions-scan
  uses: edplato/trufflehog-actions-scan@master
  with:
    scanArguments: "--regex --entropy=False --max_depth=5 --rules /regexes.json" # Add custom options here*
  • if custom options argument string is used, it will overwrite default settings
  • if you want to just run the trufflehog command with NO arguments, set as a single spaced string " "

Proxy

Building the docker container requires access to pypi.python.org/pypi. If you are running this action ob a self-hosted runner behind a proxy, you can configure the docker client to flow proxy info to the container. This action will respect the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY settings in ~/.docker/config.json, if set.

MIT License

About

Scan repository for secrets with basic defaults in place for easy setup.

Resources

Readme

License

MIT license
Activity

Stars

21 stars

Watchers

3 watching

Forks

35 forks
Report repository

Releases 13

v0.9l-beta Latest
Dec 9, 2021
+ 12 releases

Packages

No packages published

Contributors 6

Languages