feat(trufflehog): add Trufflehog action. (#141)

iStreamPlanet · Apr 28, 2021 · 69d5c16 · 69d5c16
1 parent 9b8b85e
commit 69d5c16
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 0 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -12,3 +12,8 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+
+  - package-ecosystem: "pip"
+    directory: "/trufflehog-actions-scan"
+    schedule:
+      interval: "daily"
diff --git a/README.md b/README.md
@@ -25,3 +25,7 @@ Creates, updates, or closes an issue matching a given title based on other param
 #### [`helmfile-dependency-check`](helmfile-dependency-check)
 
 Checks if there is a valid `helmfile.yaml` in the working directory. Executes `helmfile deps` and checks if there are any chart upgrades available.
+
+#### [`trufflehog-actions-scan`](trufflehog-actions-scan)
+
+Runs Trufflehog as a GitHub Action.  Based off of [`https://github.com/edplato/trufflehog-actions-scan`](https://github.com/edplato/trufflehog-actions-scan).  Uses Dependabot to stay up-to-date with the latest version.
diff --git a/trufflehog-actions-scan/Dockerfile b/trufflehog-actions-scan/Dockerfile
@@ -0,0 +1,18 @@
+FROM python:3.7-alpine
+
+LABEL "com.github.actions.name"="Trufflehog Actions Scan"
+LABEL "com.github.actions.description"="Scan repository for secrets with basic trufflehog defaults in place for easy setup."
+LABEL "com.github.actions.icon"="shield"
+LABEL "com.github.actions.color"="yellow"
+
+COPY requirements.txt /tmp/
+RUN pip install --requirement /tmp/requirements.txt
+
+RUN apk --update add git less openssh && \
+  rm -rf /var/lib/apt/lists/* && \
+  rm /var/cache/apk/*
+
+COPY entrypoint.sh  /entrypoint.sh
+ADD https://raw.githubusercontent.com/dxa4481/truffleHogRegexes/master/truffleHogRegexes/regexes.json /regexes.json
+
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/trufflehog-actions-scan/action.yml b/trufflehog-actions-scan/action.yml
@@ -0,0 +1,12 @@
+name: 'Trufflehog Actions Scan'
+description: 'Scan repository for secrets with basic trufflehog defaults in place for easy setup.'
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
+inputs:
+  scanArguments:
+    description: 'Argument options for scan.'
+    required: false
+branding:
+  icon: 'shield'
+  color: 'yellow'
diff --git a/trufflehog-actions-scan/entrypoint.sh b/trufflehog-actions-scan/entrypoint.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env sh
+
+set -e # Abort script at first error
+
+args="--regex --entropy=False --max_depth=50" # Default trufflehog options
+
+if [ -n "${INPUT_SCANARGUMENTS}" ]; then
+  args="${INPUT_SCANARGUMENTS}" # Overwrite if new options string is provided
+fi
+
+# By default the 'WORKDIR' of our Docker image is set to the 'GITHUB_WORKSPACE'
+# which is mounted into our image. This means, as long as a checkout action was
+# done before our action runs, we'll have access to the repository.
+githubRepo="file://$(pwd)" # Default target repository
+query="$args $githubRepo" # Build args query with repository url
+trufflehog $query
diff --git a/trufflehog-actions-scan/requirements.txt b/trufflehog-actions-scan/requirements.txt
@@ -0,0 +1,6 @@
+gitdb2==3.0.0
+GitPython==2.1.1
+smmap==4.0.0
+smmap2==3.0.1
+truffleHog==2.0.99
+truffleHogRegexes==0.0.7