-
Notifications
You must be signed in to change notification settings - Fork 10
113 lines (107 loc) · 3.73 KB
/
trufflehog.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
name: Trufflehog security scan
on:
schedule:
- cron: '0 10 * * *'
push:
branches-ignore:
- master
jobs:
trufflehog-vulnerability-detection:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Display File Structure
run: |
echo "Displaying file structure..."
find . -type f
- name: Secret Scanning
uses: trufflesecurity/trufflehog@main
with:
extra_args: --only-verified
# - name: Print TruffleHog Output (Debugging Step)
# run: |
# echo "Contents of trufflehog_output.json:"
# cat trufflehog_output.json
#
# - name: Extract Trufflehog Scan Data for Slack
# id: extract_trufflehog_data
# run: |
# RESULT=$(tail -n 1 trufflehog_output.json)
#
# SCAN_DURATION=$(echo $RESULT | jq -r '.scan_duration')
# CHUNKS=$(echo $RESULT | jq -r '.chunks')
# BYTES=$(echo $RESULT | jq -r '.bytes')
# VERIFIED_SECRETS=$(echo $RESULT | jq -r '.verified_secrets')
# UNVERIFIED_SECRETS=$(echo $RESULT | jq -r '.unverified_secrets')
# VERSION=$(echo $RESULT | jq -r '.trufflehog_version')
#
# echo "SCAN_DURATION=$SCAN_DURATION" >> $GITHUB_ENV
# echo "CHUNKS=$CHUNKS" >> $GITHUB_ENV
# echo "BYTES=$BYTES" >> $GITHUB_ENV
# echo "VERIFIED_SECRETS=$VERIFIED_SECRETS" >> $GITHUB_ENV
# echo "UNVERIFIED_SECRETS=$UNVERIFIED_SECRETS" >> $GITHUB_ENV
# echo "VERSION=$VERSION" >> $GITHUB_ENV
#
# - name: Debugging - Print Environment Variables
# run: |
# echo "Chunks: $CHUNKS"
# echo "Bytes: $BYTES"
# echo "Verified Secrets: $VERIFIED_SECRETS"
# echo "Unverified Secrets: $UNVERIFIED_SECRETS"
# echo "Scan Duration: $SCAN_DURATION"
# echo "Trufflehog Version: $VERSION"
# # Check if variables are set in $GITHUB_ENV
# cat $GITHUB_ENV
#
# - name: Send Slack Notification
# id: slack
# uses: slackapi/[email protected]
# with:
# payload: |
# {
# "text": "Trufflehog scan completed for ${{ github.repository }}",
# "attachments": [
# {
# "pretext": "Trufflehog scan details:",
# "color": "#36a64f",
# "fields": [
# {
# "title": "Chunks Scanned",
# "value": "${{ env.CHUNKS }}",
# "short": true
# },
# {
# "title": "Bytes Scanned",
# "value": "${{ env.BYTES }}",
# "short": true
# },
# {
# "title": "Verified Secrets",
# "value": "${{ env.VERIFIED_SECRETS }}",
# "short": true
# },
# {
# "title": "Unverified Secrets",
# "value": "${{ env.UNVERIFIED_SECRETS }}",
# "short": true
# },
# {
# "title": "Scan Duration",
# "value": "${{ env.SCAN_DURATION }}",
# "short": true
# },
# {
# "title": "Trufflehog Version",
# "value": "${{ env.VERSION }}",
# "short": true
# }
# ]
# }
# ]
# }
# env:
# SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
# SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK