From 7eedd10c5534bec28a5c954370378afdc98961be Mon Sep 17 00:00:00 2001 From: Rohan Krishnamurthy Date: Tue, 30 Jul 2024 10:39:29 +0200 Subject: [PATCH 1/3] Create trufflehog.yml --- .github/workflows/trufflehog.yml | 40 ++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 .github/workflows/trufflehog.yml diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml new file mode 100644 index 000000000..4428a8762 --- /dev/null +++ b/.github/workflows/trufflehog.yml @@ -0,0 +1,40 @@ +name: "TruffleHog" + +on: + push: + branches: [ main ] + pull_request: + + schedule: + - cron: "0 0 * * *" # Once a day + +permissions: + actions: read + contents: read + security-events: write + id-token: write + issues: write + +jobs: + ScanSecrets: + name: Scan secrets + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v3 + with: + fetch-depth: 0 # Ensure full clone for pull request workflows + ref: ${{ github.head_ref }} # Fetch specific branch/commit for pull requests + + - name: TruffleHog OSS + id: trufflehog + uses: trufflesecurity/trufflehog@8a8ef8526527dd5f5d731d8e74843c121777b82d #v3.80.2 + continue-on-error: true + with: + path: ./ # Scan the entire repository + base: "${{ github.event.repository.default_branch }}" # Set base branch for comparison (pull requests) + extra_args: --filter-entropy=4 --results=verified,unknown --debug + + - name: Scan Results Status + if: steps.trufflehog.outcome == 'failure' + run: exit 1 # Set workflow run to failure if TruffleHog finds secrets From 8be4558f50fc70aa185273e444e239caffff0aff Mon Sep 17 00:00:00 2001 From: Rohan Krishnamurthy Date: Fri, 9 Aug 2024 11:21:17 +0200 Subject: [PATCH 2/3] Update trufflehog.yml Added copyright details --- .github/workflows/trufflehog.yml | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml index 4428a8762..0d24c8a75 100644 --- a/.github/workflows/trufflehog.yml +++ b/.github/workflows/trufflehog.yml @@ -1,12 +1,33 @@ +# +# Copyright (c) 2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + name: "TruffleHog" on: push: - branches: [ main ] + branches: ["main"] pull_request: - + # The branches below must be a subset of the branches above + branches: ["main"] schedule: - cron: "0 0 * * *" # Once a day + workflow_dispatch: permissions: actions: read @@ -21,7 +42,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 # Ensure full clone for pull request workflows ref: ${{ github.head_ref }} # Fetch specific branch/commit for pull requests From d2b3acadc9f048abe30b1be824b15938ad1ad9e0 Mon Sep 17 00:00:00 2001 From: Rohan Krishnamurthy Date: Fri, 23 Aug 2024 15:40:03 +0200 Subject: [PATCH 3/3] Update trufflehog.yml --- .github/workflows/trufflehog.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml index 0d24c8a75..fa5f16425 100644 --- a/.github/workflows/trufflehog.yml +++ b/.github/workflows/trufflehog.yml @@ -45,7 +45,6 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 # Ensure full clone for pull request workflows - ref: ${{ github.head_ref }} # Fetch specific branch/commit for pull requests - name: TruffleHog OSS id: trufflehog