-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
action.yml
99 lines (97 loc) · 3.28 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
name: 'TruffleHog OSS'
description: 'Scan Github Actions with TruffleHog.'
author: Truffle Security Co. <support@trufflesec.com>
inputs:
path:
description: Repository path
required: false
default: "./"
base:
description: Start scanning from here (usually main branch).
required: false
default: ''
head:
description: Scan commits until here (usually dev branch).
required: false
extra_args:
default: ''
description: Extra args to be passed to the trufflehog cli.
required: false
version:
default: 'latest'
description: Scan with this trufflehog cli version.
required: false
branding:
icon: "shield"
color: "green"
runs:
using: "composite"
steps:
- shell: bash
working-directory: ${{ inputs.path }}
env:
BASE: ${{ inputs.base }}
HEAD: ${{ inputs.head }}
ARGS: ${{ inputs.extra_args }}
COMMITS: ${{ toJson(github.event.commits) }}
VERSION: ${{ inputs.version }}
run: |
##########################################
## ADVANCED USAGE ##
## Scan by BASE & HEAD user inputs ##
## If BASE == HEAD, exit with error ##
##########################################
git status >/dev/null # make sure we are in a git repository
if [ -n "$BASE" ] || [ -n "$HEAD" ]; then
if [ -n "$BASE" ]; then
base_commit=$(git rev-parse "$BASE" 2>/dev/null) || true
else
base_commit=""
fi
if [ -n "$HEAD" ]; then
head_commit=$(git rev-parse "$HEAD" 2>/dev/null) || true
else
head_commit=""
fi
if [ "$base_commit" == "$head_commit" ] ; then
echo "::error::BASE and HEAD commits are the same. TruffleHog won't scan anything. Please see documentation (https://github.com/trufflesecurity/trufflehog#octocat-trufflehog-github-action)."
exit 1
fi
##########################################
## Scan commits based on event type ##
##########################################
else
if [ "${{ github.event_name }}" == "push" ]; then
COMMIT_LENGTH=$(printenv COMMITS | jq length)
if [ $COMMIT_LENGTH == "0" ]; then
echo "No commits to scan"
exit 0
fi
HEAD=${{ github.event.after }}
if [ ${{ github.event.before }} == "0000000000000000000000000000000000000000" ]; then
BASE=$(git rev-parse $HEAD~$COMMIT_LENGTH)
else
BASE=${{ github.event.before }}
fi
elif [ "${{ github.event_name }}" == "workflow_dispatch" ] || [ "${{ github.event_name }}" == "schedule" ]; then
BASE=""
HEAD=""
elif [ "${{ github.event_name }}" == "pull_request" ]; then
BASE=${{github.event.pull_request.base.sha}}
HEAD=${{github.event.pull_request.head.sha}}
fi
fi
##########################################
## Run TruffleHog ##
##########################################
docker run --rm -v .:/tmp -w /tmp \
ghcr.io/trufflesecurity/trufflehog:${VERSION} \
git file:///tmp/ \
--since-commit \
${BASE:-''} \
--branch \
${HEAD:-''} \
--fail \
--no-update \
--github-actions \
${ARGS:-''}