-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathSecurity-AdvancedSecretScan.yml
More file actions
83 lines (73 loc) · 4 KB
/
Security-AdvancedSecretScan.yml
File metadata and controls
83 lines (73 loc) · 4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# Display Name of the workflow
name: Static Analysis - Advanced Secret Scan
# When this workflow triggers
on:
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# Allow this workflow to be called from another workflow
workflow_call:
# Run the unit tests on every change
push:
branches: [main]
pull_request:
branches: [main]
# Define each session of execution that should be executed
jobs:
SecretScan:
# Display name of the job
name: Scan for Secrets
# Operating system filter for the runners
runs-on: ubuntu-latest
# Sets the scopes available to the github_token injected to the GH Actions runner
permissions:
contents: read
steps:
# Calculate the depth and branch for checkout optimization
- name: Calculate Checkout Depth and Branch
shell: bash
env:
# Untrusted inputs passed via env (no use inside the run script of ${{ }}).
UNTRUST_PR_REF: ${{ github.event.pull_request.head.ref }}
UNTRUST_PR_COMMITS_COUNT: ${{ github.event.pull_request.commits }}
UNTRUST_PUSH_COMMIT_LIST_JSON: ${{ toJson(github.event.commits) }}
run: |
# Exit on error (-e), treat unset variables as errors (-u), and fail on pipeline errors (-o pipefail)
set -euo pipefail
# If this run was triggered by a push event
if [ "$GITHUB_EVENT_NAME" = "push" ]; then
# Count how many commits are in the push event using jq (a JSON parser)
raw_depth=$(printf '%s' "$UNTRUST_PUSH_COMMIT_LIST_JSON" | jq 'length')
# Make sure the depth is a valid number; if not, default to 0
if ! [[ "$raw_depth" =~ ^[0-9]+$ ]]; then raw_depth=0; fi
# Add a small buffer (+2) so we have enough history for scanning
depth=$(( raw_depth + 2 ))
# Save the computed depth into the GitHub Actions environment for later steps
printf 'depth=%s\n' "$depth" | tr -d '\n\r' >> "$GITHUB_ENV"
# Use the branch name from the push event, cleaned of any stray characters
safe_branch=$(printf '%s' "$GITHUB_REF_NAME" | tr -d '\n\r')
# Save the branch name into the environment for later steps
printf 'branch=%s\n' "$safe_branch" >> "$GITHUB_ENV"
elif [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then
# Read the number of commits in the PR; default to 0 if missing
pr_commits="${UNTRUST_PR_COMMITS_COUNT:-0}"
# Validate that the commit count is a number; if not, set to 0
if ! [[ "$pr_commits" =~ ^[0-9]+$ ]]; then pr_commits=0; fi
# Add a small buffer (+2) so we have enough history for scanning
depth=$(( pr_commits + 2 ))
# Use the incoming PR branch name, cleaned of any stray characters
safe_branch=$(printf '%s' "$UNTRUST_PR_REF" | tr -d '\n\r')
# Save the computed depth into the environment for later steps
printf 'depth=%s\n' "$depth" | tr -d '\n\r' >> "$GITHUB_ENV"
# Save the branch name into the environment for later steps
printf 'branch=%s\n' "$safe_branch" >> "$GITHUB_ENV"
fi
# Downloads the repo at the specified depth calculated previously
- uses: actions/checkout@v6
with:
ref: ${{env.branch}}
fetch-depth: ${{env.depth}}
# Run TruffleHog Scan against the downloaded repo
- name: Scan for Secrets
uses: trufflesecurity/trufflehog@7635b24fd512a2e817dd3e9dd661caaf035a079d
with:
extra_args: --results=verified,unknown