-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
shallow cloning + GitHub Action #2138
Merged
Merged
Changes from 3 commits
Commits
Show all changes
14 commits
Select commit
Hold shift + click to select a range
5df08af
proposed shallow cloning gh action
joeleonjr 7542ef4
removing unnecessary steps
joeleonjr 35d5904
adding back in git checkout
joeleonjr 3e4331f
removed git cloning + added backward compatibility
joeleonjr 481dee1
Merge branch 'main' into gh-action-shallow-clone
joeleonjr a36d43e
Merge branch 'main' into gh-action-shallow-clone
joeleonjr 9404936
Merge branch 'main' into gh-action-shallow-clone
joeleonjr c6adf3d
Merge branch 'main' into gh-action-shallow-clone
joeleonjr d23f941
Merge branch 'main' into gh-action-shallow-clone
joeleonjr 7fb15ec
Merge branch 'main' into gh-action-shallow-clone
joeleonjr 9975df5
Merge branch 'main' into gh-action-shallow-clone
joeleonjr ed87b09
Merge branch 'main' into gh-action-shallow-clone
joeleonjr dbb236e
Merge branch 'main' into gh-action-shallow-clone
joeleonjr d82761d
Merge branch 'main' into gh-action-shallow-clone
joeleonjr File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,36 +1,78 @@ | ||
name: 'TruffleHog OSS' | ||
description: 'Scan Github Actions with TruffleHog' | ||
description: 'Scan for secrets in Github Actions with TruffleHog.' | ||
author: Truffle Security Co. <support@trufflesec.com> | ||
|
||
inputs: | ||
path: | ||
description: Repository path | ||
required: true | ||
base: | ||
description: Start scanning from here (usually main branch). | ||
full_repo: | ||
default: false | ||
description: Run a TruffleHog scan against the entire repository. | ||
required: false | ||
default: '' | ||
head: | ||
description: Scan commits until here (usually dev branch). | ||
required: false | ||
extra_args: | ||
extra_truffle_args: | ||
default: '' | ||
description: Extra args to be passed to the trufflehog cli. | ||
required: false | ||
|
||
branding: | ||
icon: "shield" | ||
color: "green" | ||
|
||
runs: | ||
using: "docker" | ||
image: "docker://ghcr.io/trufflesecurity/trufflehog:latest" | ||
args: | ||
- git | ||
- file://${{ inputs.path }} | ||
- --since-commit | ||
- ${{ inputs.base }} | ||
- --branch | ||
- ${{ inputs.head }} | ||
- --fail | ||
- --no-update | ||
- --github-actions | ||
- ${{ inputs.extra_args }} | ||
using: "composite" | ||
steps: | ||
########################### | ||
## SHALLOW CLONING STEPS ## | ||
########################### | ||
## Get count of commits in Push or PR and target branch. | ||
- shell: bash | ||
run: | | ||
if [ "${{ github.event_name }}" == "push" ]; then | ||
echo "depth=$(($(jq length <<< '${{ toJson(github.event.commits) }}') + 1))" >> $GITHUB_ENV | ||
echo "branch=${{ github.ref_name }}" >> $GITHUB_ENV | ||
fi | ||
if [ "${{ github.event_name }}" == "pull_request" ]; then | ||
echo "depth=$((${{ github.event.pull_request.commits }}+1))" >> $GITHUB_ENV | ||
echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV | ||
fi | ||
id: set_values | ||
if: ${{ inputs.full_repo == 'false' }} | ||
|
||
## Checkout code with --depth and --branch args from the step above | ||
- uses: actions/checkout@v3 | ||
with: | ||
ref: ${{env.branch}} | ||
fetch-depth: ${{env.depth}} | ||
if: ${{ inputs.full_repo == 'false' }} | ||
|
||
## Get the base commit from the shallow clone and set as env var since_commit | ||
- shell: bash | ||
run: echo "since_commit=$(git rev-list --max-parents=0 HEAD)" >> $GITHUB_ENV | ||
if: ${{ inputs.full_repo == 'false' }} | ||
|
||
########################### | ||
## FULL REPO SCAN STEPS ## | ||
########################### | ||
## Clone full repo | ||
- uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 0 | ||
if: ${{ inputs.full_repo == 'true' }} | ||
|
||
## Set since_commit env var to empty string (so it will scan the entire repo) | ||
- shell: bash | ||
run: echo "since_commit=''" >> $GITHUB_ENV | ||
if: ${{ inputs.full_repo == 'true' }} | ||
|
||
################################ | ||
## SCAN REPO WITH TRUFFLEHOG ## | ||
################################ | ||
## Pass in the env var since_commit derived in a prior step + any extra truffle args | ||
- shell: bash | ||
run: | | ||
docker run --rm -v "$(pwd)":/tmp \ | ||
ghcr.io/trufflesecurity/trufflehog:latest \ | ||
git file:///tmp/ \ | ||
--since-commit ${{env.since_commit}} \ | ||
--fail \ | ||
--no-update \ | ||
--github-actions \ | ||
${{ inputs.extra_truffle_args }} |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thought: the term
FULL REPO
has the potential to confuse some folks. This is something I saw at GitLab and w/ gitleaks-action; people would be confused about whether they were scanning the filesystem or the full git history. I think it would be useful to either change the name fromfull_repo
tofull_git_history
or document thatfull_repo
is scanning the entire history.