Skip to content

security: org-wide secret scanning #1

security: org-wide secret scanning

security: org-wide secret scanning #1

Workflow file for this run

name: Secret Scan
on: [pull_request]
jobs:
secret-scan:
name: Secret Scan
runs-on: ubuntu-latest
permissions:
contents: "read"
outputs:
branch: ${{ steps.fetch_depth.outputs.branch }}
depth: ${{ steps.fetch_depth.outputs.depth }}
latest_release: ${{ steps.trufflehog_release.outputs.latest_release }}
latest_tag_name: ${{ steps.trufflehog_release.outputs.latest_tag_name }}
steps:
- name: Set fetch depth
id: fetch_depth
shell: bash
run: |
if [ "${{ github.event_name }}" == "push" ]; then
echo "depth=$(($(jq length <<< '${{ toJson(github.event.commits) }}') + 2))" >> "$GITHUB_OUTPUT"
echo "branch=${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
fi
if [ "${{ github.event_name }}" == "pull_request" ]; then
echo "depth=$((${{ github.event.pull_request.commits }}+2))" >> "$GITHUB_OUTPUT"
echo "branch=${{ github.event.pull_request.head.ref }}" >> "$GITHUB_OUTPUT"
fi
- name: Checkout Code
uses: actions/checkout@v4
with:
ref: ${{ steps.fetch_depth.outputs.branch }}
fetch-depth: ${{ steps.fetch_depth.outputs.depth }}
- name: Install Cosign
uses: sigstore/[email protected]
- name: Get latest TruffleHog release
id: trufflehog_release
shell: bash
run: |
LATEST_TAG_NAME=$(curl -s https://api.github.com/repos/trufflesecurity/trufflehog/releases/latest | jq -r .name)
LATEST_RELEASE=$(echo ${LATEST_TAG_NAME:1})
echo "latest_tag_name=$LATEST_TAG_NAME" >> "$GITHUB_OUTPUT"
echo "latest_release=$LATEST_RELEASE" >> "$GITHUB_OUTPUT"
- name: Download and verify TruffleHog release
run: |
curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt
curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem
curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig
curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_linux_amd64.tar.gz
cosign verify-blob trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt \
--certificate trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem \
--signature trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig \
--certificate-identity-regexp 'https://github\.com/trufflesecurity/trufflehog/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
sha256sum --ignore-missing -c trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt
- name: Extract TruffleHog
run: |
tar xzf trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_linux_amd64.tar.gz -C /usr/local/bin
chmod +x /usr/local/bin/trufflehog
- name: Run TruffleHog scan
run: |
trufflehog git file://. --only-verified --github-actions --fail