Skip to content
/ scan-secrets Public

Secrets scanner action to scan repository for secrets like API keys, passwords and tokens in github/gitea workflows

License

AGPL-3.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

fc-actions/scan-secrets

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 

Repository files navigation

FireClover Secrets Scanner

General Usage

on:
  push:
    branches:
      - main
  pull_request:

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      with:
        fetch-depth: 0
    - name: Secret Scanning
      uses: fc-actions/scan-secrets@v0.0.1
      with:
        extra_args: --results=verified,unknown

In the example config above, we're scanning for live secrets in all PRs and Pushes to main. Only code changes in the referenced commits are scanned. If you'd like to scan an entire branch, please see the "Advanced Usage" section below.

Shallow Cloning

If you're incorporating TruffleHog into a standalone workflow and aren't running any other CI/CD tooling alongside TruffleHog, then we recommend using Shallow Cloning to speed up your workflow. Here's an example for how to do it:

...
      - shell: bash
        run: |
          if [ "${{ github.event_name }}" == "push" ]; then
            echo "depth=$(($(jq length <<< '${{ toJson(github.event.commits) }}') + 2))" >> $GITHUB_ENV
            echo "branch=${{ github.ref_name }}" >> $GITHUB_ENV
          fi
          if [ "${{ github.event_name }}" == "pull_request" ]; then
            echo "depth=$((${{ github.event.pull_request.commits }}+2))" >> $GITHUB_ENV
            echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
          fi
      - uses: actions/checkout@v3
        with:
          ref: ${{env.branch}}
          fetch-depth: ${{env.depth}}
      - uses: fc-actions/scan-secrets@v0.0.1
        with:
          extra_args: --results=verified,unknown
...

Depending on the event type (push or PR), we calculate the number of commits present. Then we add 2, so that we can reference a base commit before our code changes. We pass that integer value to the fetch-depth flag in the checkout action in addition to the relevant branch. Now our checkout process should be much shorter.

Canary detection

TruffleHog statically detects https://canarytokens.org/ and lets you know when they're present without setting them off. You can learn more here: https://trufflesecurity.com/canaries

image

Advanced Usage

- name: TruffleHog
  uses: fc-actions/scan-secrets@v0.0.1
  with:
    # Repository path
    path:
    # Start scanning from here (usually main branch).
    base:
    # Scan commits until here (usually dev branch).
    head: # optional
    # Extra args to be passed to the trufflehog cli.
    extra_args: --log-level=2 --results=verified,unknown

If you'd like to specify specific base and head refs, you can use the base argument (--since-commit flag in TruffleHog CLI) and the head argument (--branch flag in the TruffleHog CLI). We only recommend using these arguments for very specific use cases, where the default behavior does not work.

Advanced Usage: Scan entire branch

- name: scan-push
        uses: fc-actions/scan-secrets@v0.0.1
        with:
          base: ""
          head: ${{ github.ref_name }}
          extra_args: --results=verified,unknown

About

Secrets scanner action to scan repository for secrets like API keys, passwords and tokens in github/gitea workflows

Resources

Readme

License

AGPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 2

v0.0.2 Latest
Mar 5, 2025
+ 1 release

Packages

No packages published