Merge pull request #2047 from GSA/dev #561
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: TruffleHog Scan | |
on: | |
workflow_call: | |
push: | |
branches: | |
- main | |
- dev | |
pull_request: | |
branches: | |
- main | |
jobs: | |
scan: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Install basic dependancies | |
run: ./scripts/pipeline/deb-basic-deps.sh | |
- name: Install AWSCLI | |
run: ./scripts/pipeline/awscli-install.sh | |
- name: Install Cloudfoundry CLI | |
run: ./scripts/pipeline/deb-cf-install.sh | |
- name: Install GitHub CLI | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y gh | |
- name: Determine the branch name | |
id: determine-branch | |
run: | | |
if [ "${{ github.event_name }}" == "pull_request" ]; then | |
echo "BRANCH=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV | |
else | |
echo "BRANCH=${{ github.ref_name }}" >> $GITHUB_ENV | |
fi | |
- name: Authenticate GitHub CLI | |
env: | |
GITHUB_TOKEN: ${{ secrets.ADD_TO_PROJECT_PAT }} | |
run: | | |
gh auth setup-git | |
- name: Install TruffleHog3 | |
run: | | |
pip install trufflehog3 | |
- name: TruffleHog3 Scan | |
id: scan | |
run: | | |
echo "Scanning branch: $BRANCH" | |
trufflehog3 --branch $BRANCH --no-entropy --severity MEDIUM -vv -c .trufflehog3.yml -r rules.yml --format json --output truffleHogResults.json || true | |
trufflehog3 -R truffleHogResults.json --output truffleHogReport.html | |
- name: Cloud.gov login | |
env: | |
CF_USER: "${{ secrets.CF_USER }}" | |
CF_PASSWORD: "${{ secrets.CF_PASSWORD }}" | |
CF_ORG: "${{ secrets.CF_ORG }}" | |
PROJECT: "${{ secrets.PROJECT }}" | |
run: | | |
source ./scripts/pipeline/cloud-gov-login.sh | |
- name: Upload Trufflehog Results | |
id: check_file | |
shell: bash | |
env: | |
CF_USER: "${{ secrets.CF_USER }}" | |
CF_PASSWORD: "${{ secrets.CF_PASSWORD }}" | |
CF_ORG: "${{ secrets.CF_ORG }}" | |
PROJECT: "${{ secrets.PROJECT }}" | |
DATABASE_BACKUP_BASTION_NAME: "${{ secrets.DATABASE_BACKUP_BASTION_NAME }}" | |
run: | | |
export TIMESTAMP=$(date --utc +%FT%TZ | tr ':', '-') | |
mv truffleHogResults.json truffleHogResults-${TIMESTAMP}.json | |
mv truffleHogReport.html truffleHogReport-${TIMESTAMP}.html | |
source ./scripts/pipeline/s3-thog-upload.sh | |
CONTENT=$(jq 'length' truffleHogResults-${TIMESTAMP}.json) | |
if [ "$CONTENT" -eq 0 ]; then | |
echo "No content found in JSON. Setting Skip to true." | |
echo "::set-output name=skip::true" | |
exit 0 | |
else | |
echo "Content found in JSON. Proceeding." | |
echo "::set-output name=skip::false" | |
fi | |
- name: If findings found, create issue | |
if: steps.check_file.outputs.skip == 'false' | |
env: | |
GITHUB_TOKEN: ${{ secrets.ADD_TO_PROJECT_PAT }} | |
run: | | |
echo "Secrets found. Creating GitHub issue." | |
gh issue create --title "CREDS FOUND: TruffleHog Scan Results" --body "Please see backup s3 for TruffleHog Results" --label "bug,security" --assignee "@me" | |
- name: Fail the job if any secrets are found | |
if: steps.check_file.outputs.skip == 'false' | |
run: exit 1 |