From c615675485550e0d7fecd34bd1e2ad5d15161585 Mon Sep 17 00:00:00 2001 From: alexanderM91 Date: Tue, 15 Oct 2024 12:55:20 +0200 Subject: [PATCH] Setup Slack notification --- .github/workflows/trufflehog.yml | 189 +++++++++++++++---------------- 1 file changed, 92 insertions(+), 97 deletions(-) diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml index 48ca1b62..ed7e9a79 100644 --- a/.github/workflows/trufflehog.yml +++ b/.github/workflows/trufflehog.yml @@ -12,107 +12,102 @@ jobs: runs-on: ubuntu-latest steps: - - name: Check out repository - uses: actions/checkout@v3 - - - name: Set up TruffleHog - run: | - sudo apt-get update && sudo apt-get install -y git curl jq - curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 - name: Display File Structure run: | echo "Displaying file structure..." find . -type f - - name: Run TruffleHog Scan - id: truffle_hog-scan - env: - SCAN_PATH: "." - run: | - trufflehog filesystem "$SCAN_PATH" --only-verified --fail --json | tee trufflehog_output.json - - - name: Print TruffleHog Output (Debugging Step) - run: | - echo "Contents of trufflehog_output.json:" - cat trufflehog_output.json - - - name: Extract Trufflehog Scan Data for Slack - id: extract_trufflehog_data - run: | - RESULT=$(tail -n 1 trufflehog_output.json) - - SCAN_DURATION=$(echo $RESULT | jq -r '.scan_duration') - CHUNKS=$(echo $RESULT | jq -r '.chunks') - BYTES=$(echo $RESULT | jq -r '.bytes') - VERIFIED_SECRETS=$(echo $RESULT | jq -r '.verified_secrets') - UNVERIFIED_SECRETS=$(echo $RESULT | jq -r '.unverified_secrets') - VERSION=$(echo $RESULT | jq -r '.trufflehog_version') - - echo "SCAN_DURATION=$SCAN_DURATION" >> $GITHUB_ENV - echo "CHUNKS=$CHUNKS" >> $GITHUB_ENV - echo "BYTES=$BYTES" >> $GITHUB_ENV - echo "VERIFIED_SECRETS=$VERIFIED_SECRETS" >> $GITHUB_ENV - echo "UNVERIFIED_SECRETS=$UNVERIFIED_SECRETS" >> $GITHUB_ENV - echo "VERSION=$VERSION" >> $GITHUB_ENV - - - name: Debugging - Print Environment Variables - run: | - echo "Chunks: $CHUNKS" - echo "Bytes: $BYTES" - echo "Verified Secrets: $VERIFIED_SECRETS" - echo "Unverified Secrets: $UNVERIFIED_SECRETS" - echo "Scan Duration: $SCAN_DURATION" - echo "Trufflehog Version: $VERSION" - # Check if variables are set in $GITHUB_ENV - cat $GITHUB_ENV - - - name: Send Slack Notification - id: slack - uses: slackapi/slack-github-action@v1.24.0 + - name: Secret Scanning + uses: trufflesecurity/trufflehog@main with: - payload: | - { - "text": "Trufflehog scan completed for ${{ github.repository }}", - "attachments": [ - { - "pretext": "Trufflehog scan details:", - "color": "#36a64f", - "fields": [ - { - "title": "Chunks Scanned", - "value": "${{ env.CHUNKS }}", - "short": true - }, - { - "title": "Bytes Scanned", - "value": "${{ env.BYTES }}", - "short": true - }, - { - "title": "Verified Secrets", - "value": "${{ env.VERIFIED_SECRETS }}", - "short": true - }, - { - "title": "Unverified Secrets", - "value": "${{ env.UNVERIFIED_SECRETS }}", - "short": true - }, - { - "title": "Scan Duration", - "value": "${{ env.SCAN_DURATION }}", - "short": true - }, - { - "title": "Trufflehog Version", - "value": "${{ env.VERSION }}", - "short": true - } - ] - } - ] - } - env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK + extra_args: --only-verified + +# - name: Print TruffleHog Output (Debugging Step) +# run: | +# echo "Contents of trufflehog_output.json:" +# cat trufflehog_output.json +# +# - name: Extract Trufflehog Scan Data for Slack +# id: extract_trufflehog_data +# run: | +# RESULT=$(tail -n 1 trufflehog_output.json) +# +# SCAN_DURATION=$(echo $RESULT | jq -r '.scan_duration') +# CHUNKS=$(echo $RESULT | jq -r '.chunks') +# BYTES=$(echo $RESULT | jq -r '.bytes') +# VERIFIED_SECRETS=$(echo $RESULT | jq -r '.verified_secrets') +# UNVERIFIED_SECRETS=$(echo $RESULT | jq -r '.unverified_secrets') +# VERSION=$(echo $RESULT | jq -r '.trufflehog_version') +# +# echo "SCAN_DURATION=$SCAN_DURATION" >> $GITHUB_ENV +# echo "CHUNKS=$CHUNKS" >> $GITHUB_ENV +# echo "BYTES=$BYTES" >> $GITHUB_ENV +# echo "VERIFIED_SECRETS=$VERIFIED_SECRETS" >> $GITHUB_ENV +# echo "UNVERIFIED_SECRETS=$UNVERIFIED_SECRETS" >> $GITHUB_ENV +# echo "VERSION=$VERSION" >> $GITHUB_ENV +# +# - name: Debugging - Print Environment Variables +# run: | +# echo "Chunks: $CHUNKS" +# echo "Bytes: $BYTES" +# echo "Verified Secrets: $VERIFIED_SECRETS" +# echo "Unverified Secrets: $UNVERIFIED_SECRETS" +# echo "Scan Duration: $SCAN_DURATION" +# echo "Trufflehog Version: $VERSION" +# # Check if variables are set in $GITHUB_ENV +# cat $GITHUB_ENV +# +# - name: Send Slack Notification +# id: slack +# uses: slackapi/slack-github-action@v1.24.0 +# with: +# payload: | +# { +# "text": "Trufflehog scan completed for ${{ github.repository }}", +# "attachments": [ +# { +# "pretext": "Trufflehog scan details:", +# "color": "#36a64f", +# "fields": [ +# { +# "title": "Chunks Scanned", +# "value": "${{ env.CHUNKS }}", +# "short": true +# }, +# { +# "title": "Bytes Scanned", +# "value": "${{ env.BYTES }}", +# "short": true +# }, +# { +# "title": "Verified Secrets", +# "value": "${{ env.VERIFIED_SECRETS }}", +# "short": true +# }, +# { +# "title": "Unverified Secrets", +# "value": "${{ env.UNVERIFIED_SECRETS }}", +# "short": true +# }, +# { +# "title": "Scan Duration", +# "value": "${{ env.SCAN_DURATION }}", +# "short": true +# }, +# { +# "title": "Trufflehog Version", +# "value": "${{ env.VERSION }}", +# "short": true +# } +# ] +# } +# ] +# } +# env: +# SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} +# SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK