-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaction.yml
114 lines (94 loc) · 3.49 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
name: Accuknox Secret Scan
description: Scan secrets in your repository and send the results to Accuknox.
inputs:
token:
description: 'The token for authenticating with the CSPM panel.'
required: true
tenant_id:
description: "The ID of the tenant associated with the CSPM panel."
required: true
label:
description: "The label created in AccuKnox SaaS for associating scan results."
required: true
endpoint:
description: "The URL of the CSPM panel to push the scan results to."
required: true
default: "cspm.demo.accuknox.com"
results:
description: "Specifies which type(s) of results to output: verified, unknown, unverified, filtered_unverified. Defaults to all types."
required: false
fail:
description: "Fail the pipeline if secrets are found"
required: false
default: "false"
branch:
description: "The branch to scan. Use 'all-branches' to scan all branches"
required: false
exclude-paths:
description: "Paths to exclude from the scan."
required: false
args:
description: "Additional arguments to pass to trufflehog."
required: false
runs:
using: "composite"
steps:
- name: Run TruffleHog
run: |
RESULTS_FLAG=""
if [[ -n "${{ inputs.results }}" ]]; then
RESULTS_FLAG="--results ${{ inputs.results }}"
fi
FAIL_FLAG=""
if [[ "${{ inputs.fail }}" == "true" ]]; then
FAIL_FLAG="--fail"
fi
EXCLUDE_FLAG=""
if [[ -n "${{ inputs.exclude-paths }}" ]]; then
EXCLUDE_FLAG="-x /pwd/${{ inputs.exclude-paths }}"
fi
EXTRA_ARGS=""
if [[ -n "${{ inputs.args }}" ]]; then
EXTRA_ARGS="${{ inputs.args }}"
fi
BRANCH_FLAG=""
if [[ "${{ inputs.branch }}" == "all-branches" ]]; then
BRANCH_FLAG=""
elif [[ -n "${{ inputs.branch }}" ]]; then
BRANCH_FLAG="--branch=${{ inputs.branch }}"
else
if [[ -n "${{ github.event.pull_request.head.ref }}" ]]; then
BRANCH_FLAG="--branch=${{ github.event.pull_request.head.ref }}"
else
BRANCH_FLAG="--branch=${{ github.ref_name }}"
fi
fi
docker run --rm -v "$PWD:/pwd" trufflesecurity/trufflehog:3.88.1 git file:///pwd \
--json --no-update $BRANCH_FLAG $RESULTS_FLAG $FAIL_FLAG $EXCLUDE_FLAG $EXTRA_ARGS > trufflehog-results.json || exit_code=$?
echo "TRUFFLEHOG_EXIT_CODE=${exit_code:-0}" >> $GITHUB_ENV
shell: bash
- name: Push report to CSPM panel
run: |
if [[ ! -s trufflehog-results.json ]]; then
echo "No secrets found. Skipping API upload."
exit 0
fi
RESPONSE=$(curl --location 'https://${{ inputs.endpoint }}/api/v1/artifact/?tenant_id=${{ inputs.tenant_id }}&data_type=TruffleHog&save_to_s3=true&label_id=${{ inputs.label }}' \
--header 'Tenant-Id: ${{ inputs.tenant_id }}' \
--header 'Authorization: Bearer ${{ inputs.token }}' \
--form 'file=@./trufflehog-results.json')
echo "Response: $RESPONSE"
if [[ "$RESPONSE" != *"File received successfully"* ]]; then
echo "Error: Failed to push report to CSPM panel"
exit 1
fi
shell: bash
- name: Quality Check with exit_code
if: env.TRUFFLEHOG_EXIT_CODE == '183'
run: |
echo "TruffleHog found credentials. Failing the job."
exit 1
shell: bash
branding:
icon: "lock"
color: "purple"