From ab3ad8275d8e268005fd07ccab67a146137e1420 Mon Sep 17 00:00:00 2001 From: Frank-Howard Date: Tue, 10 Dec 2024 15:31:17 +0000 Subject: [PATCH] Add secret scanning in pre-commit and github actions --- .github/workflows/secret_scanning.yml | 30 +++++++++++++++++++++++++++ .pre-commit-config.yaml | 10 +++++++++ 2 files changed, 40 insertions(+) create mode 100644 .github/workflows/secret_scanning.yml diff --git a/.github/workflows/secret_scanning.yml b/.github/workflows/secret_scanning.yml new file mode 100644 index 0000000..4e4940a --- /dev/null +++ b/.github/workflows/secret_scanning.yml @@ -0,0 +1,30 @@ +name: "Secret Scanning" +on: + push: + branches: + - main + pull_request: + workflow_call: + +jobs: + check_commits: + runs-on: ubuntu-latest + steps: + - name: Set depth and branch variables + run: | + if [ "${{ github.event_name }}" == "push" ]; then + echo "depth=$(($(jq length <<< '${{ toJson(github.event.commits) }}') + 2))" >> $GITHUB_ENV + echo "branch=${{ github.ref_name }}" >> $GITHUB_ENV + fi + if [ "${{ github.event_name }}" == "pull_request" ]; then + echo "depth=$((${{ github.event.pull_request.commits }}+2))" >> $GITHUB_ENV + echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV + fi + - name: Checkout code + uses: actions/checkout@v3 + with: + ref: ${{env.branch}} + fetch-depth: ${{env.depth}} + - uses: trufflesecurity/trufflehog@main + with: + extra_args: --results=verified,unknown diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0ee24b4..893ebc8 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,3 +5,13 @@ repos: - id: check-yaml - id: end-of-file-fixer - id: trailing-whitespace + - id: no-commit-to-branch +- repo: https://github.com/trufflesecurity/trufflehog.git + rev: "v3.84.2" + hooks: + - id: trufflehog + name: TruffleHog + description: Detect secrets in your data. + entry: bash -c 'trufflehog git file://. --since-commit HEAD --only-verified --fail --no-update' + language: system + stages: ["pre-commit", "pre-push"]