Skip to content

Commit

Permalink
Merge pull request #1 from scalyr/add_secrets_scanning_workflow
Browse files Browse the repository at this point in the history
Add secrets scanning workflow
  • Loading branch information
tomaz-s1 authored Jul 19, 2023
2 parents 0ba3fa6 + cb44566 commit 8754c68
Showing 1 changed file with 72 additions and 0 deletions.
72 changes: 72 additions & 0 deletions .github/workflows/secrets-scanner.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
name: TruffleHog Secrets Scan
on:
push:
branches:
- master
pull_request:
branches:
- master
schedule:
- cron: '0 4 * * *'

permissions:
contents: read

jobs:
TruffleHog:
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 0

# Special check which ensures that the clone performed above is not shallow. We need the
# complete git history for scanning to work correctly in all the situations. In some cases
# if a shallow clone is used, trufflehog won't not fail with an error, but it would simply
# not detect any files and that could be dangerous.
- name: Shallow repo check
run: |
if git rev-parse --is-shallow-repository | grep -q "true"; then
echo "Encountered a shallow repository, trufflehog may not work as expected!"
exit 1
fi
- name: scan-pr
uses: trufflesecurity/trufflehog@main
if: ${{ github.event_name == 'pull_request' }}
with:
path: ./
base: ${{ github.event.repository.default_branch }}
head: HEAD
extra_args: --debug --only-verified

- name: scan-push
uses: trufflesecurity/trufflehog@main
if: ${{ github.event_name == 'push' }}
with:
path: ./
base: ""
head: ${{ github.ref_name }}
extra_args: --debug --only-verified

# As part of cron trigger we scan the whole repo directory.
# NOTE: Since trufflehog GHA is meant to be used in context of push / pr it can't be
# used dorectly to scan the whole repo directory. This may take a while, but it's good idea
# to run it on a daily basis.
- name: scan-cron
if: ${{ github.event_name == 'schedule' }}
run: |
docker run --rm -v "$PWD:/workdir" trufflesecurity/trufflehog:latest git \
file:///workdir --fail --no-update --debug --only-verified
- name: Notify Slack on Failure
if: ${{ failure() && github.ref_name == 'master' }}
uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
status: ${{ job.status }}
steps: ${{ toJson(steps) }}
channel: '#eng-dataset-o11y'

0 comments on commit 8754c68

Please sign in to comment.