Skip to content

Scan repository for secrets with basic defaults in place for easy setup.

License

Notifications You must be signed in to change notification settings

edplato/trufflehog-actions-scan

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

43 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Trufflehog Actions Scan 🐽🔑

Scan recent commits in repository for secrets with basic trufflehog defaults in place for easy setup.

This action is intended as a Continuous Integration secret scan in an already "clean" repository. The default commit scan depth is the last 50 commits and can be adjusted using Custom Arguments (see below).

It is recommended to run a basic trufflehog scan on your entire repository prior to relying on this CI solution (Note: this can be done manually from the command line or by using this action with custom options "--regex --entropy=False").

Usage

workflow "Detect Secrets" {
  on = "push"
  resolves = ["edplato/trufflehog-actions-scan"]
}

action "edplato/trufflehog-actions-scan" {
  uses = "edplato/trufflehog-actions-scan@master"
}

Default trufflehog options for this tool include:

  • regex : Enable high signal regex checks

  • entropy disabled: Disabled entropy checks

  • max depth is 50: The max commit depth to go back when searching for secrets

For custom regex rules:

  • rules: Uses custom regexes.json
    • Note: this is similar to the default trufflehog version, however this regexes.json will catch some additional API keys including any key Encapsulation Boundary that ends in PRIVATE KEY----- or PRIVATE KEY BLOCK-----.

Edit your corresponding actions yml file or create a new one.

Required Actions

trufflehog-actions-scan now uses actions/checkout@v2. Using a previous version may cause issues with future support of this action.

With actions/checkout@v2 make sure to include fetch-depth: 0 as shown below when checking out the repository as it will make the entire git commit history available to be scanned. Alternatively, ensure the value for fetch-depth is greater than the max_depth flag used by trufflehog to ensure that trufflehog runs at your desired commit history depth. ref: ${{ github.head_ref }} is necessary for pull request workflow trigger.

Basic

steps:
- uses: actions/checkout@v2
  with:
    fetch-depth: 0
    ref: ${{ github.head_ref }} // necessary for pull request workflow trigger
- name: trufflehog-actions-scan
  uses: edplato/trufflehog-actions-scan@master

Custom Arguments

steps:
- uses: actions/checkout@v2
  with:
    fetch-depth: 0
    ref: ${{ github.head_ref }} // necessary for pull request workflow trigger
- name: trufflehog-actions-scan
  uses: edplato/trufflehog-actions-scan@master
  with:
    scanArguments: "--regex --entropy=False --max_depth=5 --rules /regexes.json" # Add custom options here*
  • if custom options argument string is used, it will overwrite default settings
  • if you want to just run the trufflehog command with NO arguments, set as a single spaced string " "

Proxy

Building the docker container requires access to pypi.python.org/pypi. If you are running this action ob a self-hosted runner behind a proxy, you can configure the docker client to flow proxy info to the container. This action will respect the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY settings in ~/.docker/config.json, if set.

MIT License

About

Scan repository for secrets with basic defaults in place for easy setup.

Resources

License

Stars

Watchers

Forks

Packages

No packages published