[Stale Branch] - Please review this stale branch: ontological-tech-discovery #463

Summary
Jobs
- scan
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/thog_scan_commit.yml at b6713e8

	name: TruffleHog Scan

	on:
	workflow_call:
	push:
	branches:
	- main
	- dev
	pull_request:
	branches:
	- main

	jobs:
	scan:
	runs-on: ubuntu-latest

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Install basic dependancies
	run: ./scripts/pipeline/deb-basic-deps.sh

	- name: Install AWSCLI
	run: ./scripts/pipeline/awscli-install.sh

	- name: Install Cloudfoundry CLI
	run: ./scripts/pipeline/deb-cf-install.sh

	- name: Install GitHub CLI
	run: \|
	sudo apt-get update
	sudo apt-get install -y gh

	- name: Determine the branch name
	id: determine-branch
	run: \|
	if [ "${{ github.event_name }}" == "pull_request" ]; then
	echo "BRANCH=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
	else
	echo "BRANCH=${{ github.ref_name }}" >> $GITHUB_ENV
	fi

	- name: Authenticate GitHub CLI
	env:
	GITHUB_TOKEN: ${{ secrets.ADD_TO_PROJECT_PAT }}
	run: \|
	gh auth setup-git

	- name: Install TruffleHog3
	run: \|
	pip install trufflehog3

	- name: TruffleHog3 Scan
	id: scan
	run: \|
	echo "Scanning branch: $BRANCH"
	trufflehog3 --branch $BRANCH --no-entropy --severity MEDIUM -vv -c .trufflehog3.yml -r rules.yml --format json --output truffleHogResults.json \|\| true
	trufflehog3 -R truffleHogResults.json --output truffleHogReport.html

	- name: Cloud.gov login
	env:
	CF_USER: "${{ secrets.CF_USER }}"
	CF_PASSWORD: "${{ secrets.CF_PASSWORD }}"
	CF_ORG: "${{ secrets.CF_ORG }}"
	PROJECT: "${{ secrets.PROJECT }}"
	run: \|
	source ./scripts/pipeline/cloud-gov-login.sh

	- name: Upload Trufflehog Results
	id: check_file
	shell: bash
	env:
	CF_USER: "${{ secrets.CF_USER }}"
	CF_PASSWORD: "${{ secrets.CF_PASSWORD }}"
	CF_ORG: "${{ secrets.CF_ORG }}"
	PROJECT: "${{ secrets.PROJECT }}"
	DATABASE_BACKUP_BASTION_NAME: "${{ secrets.DATABASE_BACKUP_BASTION_NAME }}"
	run: \|
	export TIMESTAMP=$(date --utc +%FT%TZ \| tr ':', '-')
	mv truffleHogResults.json truffleHogResults-${TIMESTAMP}.json
	mv truffleHogReport.html truffleHogReport-${TIMESTAMP}.html
	source ./scripts/pipeline/s3-thog-upload.sh
	CONTENT=$(jq 'length' truffleHogResults-${TIMESTAMP}.json)
	if [ "$CONTENT" -eq 0 ]; then
	echo "No content found in JSON. Setting Skip to true."
	echo "::set-output name=skip::true"
	exit 0
	else
	echo "Content found in JSON. Proceeding."
	echo "::set-output name=skip::false"
	fi

	- name: If findings found, create issue
	if: steps.check_file.outputs.skip == 'false'
	env:
	GITHUB_TOKEN: ${{ secrets.ADD_TO_PROJECT_PAT }}
	run: \|
	echo "Secrets found. Creating GitHub issue."
	gh issue create --title "CREDS FOUND: TruffleHog Scan Results" --body "Please see backup s3 for TruffleHog Results" --label "bug,security" --assignee "@me"

	- name: Fail the job if any secrets are found
	if: steps.check_file.outputs.skip == 'false'
	run: exit 1

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Stale Branch] - Please review this stale branch: ontological-tech-discovery #463

Workflow file

[Stale Branch] - Please review this stale branch: ontological-tech-discovery #463

Jobs

Run details

Workflow file for this run