edplato / trufflehog-actions-scan Goto Github PK

Scan repository for secrets with basic defaults in place for easy setup.

License: MIT License

Dockerfile 57.09% Shell 42.91%

trufflehog-actions-scan's Introduction

Trufflehog Actions Scan 🐽🔑

Scan recent commits in repository for secrets with basic trufflehog defaults in place for easy setup.

This action is intended as a Continuous Integration secret scan in an already "clean" repository. The default commit scan depth is the last 50 commits and can be adjusted using Custom Arguments (see below).

It is recommended to run a basic trufflehog scan on your entire repository prior to relying on this CI solution (Note: this can be done manually from the command line or by using this action with custom options "--regex --entropy=False").

Usage

workflow "Detect Secrets" {
  on = "push"
  resolves = ["edplato/trufflehog-actions-scan"]
}

action "edplato/trufflehog-actions-scan" {
  uses = "edplato/trufflehog-actions-scan@master"
}

Default trufflehog options for this tool include:

regex : Enable high signal regex checks
entropy disabled: Disabled entropy checks
max depth is 50: The max commit depth to go back when searching for secrets

For custom regex rules:

rules: Uses custom regexes.json
- Note: this is similar to the default trufflehog version, however this regexes.json will catch some additional API keys including any key Encapsulation Boundary that ends in PRIVATE KEY----- or PRIVATE KEY BLOCK-----.

Edit your corresponding actions yml file or create a new one.

Required Actions

trufflehog-actions-scan now uses actions/checkout@v2. Using a previous version may cause issues with future support of this action.

With actions/checkout@v2 make sure to include fetch-depth: 0 as shown below when checking out the repository as it will make the entire git commit history available to be scanned. Alternatively, ensure the value for fetch-depth is greater than the max_depth flag used by trufflehog to ensure that trufflehog runs at your desired commit history depth. ref: ${{ github.head_ref }} is necessary for pull request workflow trigger.

Basic

steps:
- uses: actions/checkout@v2
  with:
    fetch-depth: 0
    ref: ${{ github.head_ref }} // necessary for pull request workflow trigger
- name: trufflehog-actions-scan
  uses: edplato/trufflehog-actions-scan@master

Custom Arguments

steps:
- uses: actions/checkout@v2
  with:
    fetch-depth: 0
    ref: ${{ github.head_ref }} // necessary for pull request workflow trigger
- name: trufflehog-actions-scan
  uses: edplato/trufflehog-actions-scan@master
  with:
    scanArguments: "--regex --entropy=False --max_depth=5 --rules /regexes.json" # Add custom options here*

if custom options argument string is used, it will overwrite default settings
if you want to just run the trufflehog command with NO arguments, set as a single spaced string " "

Proxy

Building the docker container requires access to pypi.python.org/pypi. If you are running this action ob a self-hosted runner behind a proxy, you can configure the docker client to flow proxy info to the container. This action will respect the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY settings in ~/.docker/config.json, if set.

MIT License

trufflehog-actions-scan's People

Contributors

Stargazers

Watchers

trufflehog-actions-scan's Issues

Scan the repo but not all historical commit

I want to scan the repo. I am using max-depth flag as well, but that will check the files changed in the current commit. Even If i remove the secret it is still exiting in error as it is detecting secrets.

Updating README to account for github actions/checkout@v2

Thanks for making this github action. This issue is not directly related to this action, but may be relevant for users.

I noticed that the max_depth flag wasn't working when I was attempting to use it and after some investigation I realized that - uses: actions/checkout@v2 only takes the last commit by default.

Per the README on https://github.com/actions/checkout (emphasis mine):

Only a single commit is fetched by default, for the ref/SHA that triggered the workflow. Set fetch-depth: 0 to fetch all history for all branches and tags.

Unless I've misunderstood something, it may be worthwhile to update the README adding

with:
    fetch-depth: 0

is required to make available the entire git commit history. I also recognize that this action is built to be running on a 'clean' repo though, so latest commit should be sufficient (unless multiple commit PRs need to be supported).

I'm not sure if this is the best solution because specifying the fetch depth for actions checkout and then the max_depth on the trufflehog level seem to overlap or can be redundant.

Secrets Scan not working

GitHub Actions is unable to scan & fetch secrets [as secret exist] from code as integrated in repo,

https://github.com/mukul-seagate11/cortx-hare/pull/1/checks?check_run_id=2361518131

Is anything missing?

Scan PR code

Is it possible to just scan the PR code for secrets (rather than the entire repo code)?

cc @edplato

No output when run on known problem project

Hi,

I'm creating an intentionally vulnerable repo/project to use for a workshop, and I'd like to demo trufflehog, using github actions. I run trufflehog locally on the project folder and it lights up like a Christmas tree, it finds all the secrets. However, when I run it with the GitHub Action it says it ran successfully, but there is no output. I'm confused.

I tried adding another fake private key, checking it in, which triggers my DotNetDemo.yml actions, and it still has no input. I know truffle hog would find this as it finds this, and more, locally.

Here's my workflow file: https://github.com/shehackspurple/dotnetcore-webapp/blob/master/.github/workflows/DotNetDemo.yml

Thanks for making this action, looking forward to automating this.

Tanya

Exclude some detector type or file path

Hi, how can I exclude some paths or a particular detector type from scanning since it could be a known secret?
Below is my action that I am using -

- name: checkout-pr
      if: ${{ github.event_name == 'pull_request' }}
      uses: actions/checkout@v2
      with:
        fetch-depth: 0
        ref: ${{ github.head_ref }}
    - name: get-branch
      run: |
        echo "BRANCH=$(git branch --show-current)" >> $GITHUB_ENV   
    - name: Run secret scanner
      uses: edplato/[email protected]
      with:
          scanArguments: "--regex --only-verified --entropy=False --max_depth=100 --branch ${{ env.BRANCH }} --rules .github/secrets-scanner/regexes.json"

secrets are not detected when PR triggers workflow

Hi, I found that the same workflow code

steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          submodules: false
          fetch-depth: "0"
      - name: Trufflehog Actions Scan
        uses: edplato/[email protected]
        with:
          scanArguments: "--max_dept 50 -x .github/workflows/exclude-patterns.txt"

works fine when job is triggered by push to the branch

name: detect-secrets
on:
  push:
    branches:
      - "**"

but it doesn't detect any secrets when it is triggered by opening a PR - action is started but and always passes

name: detect-secrets
on:
  pull_request:
    branches: 
      - "**"

the same commit gives different results for push and pull_request. Any idea?

Scan Arguments not finding issues it should be finding

Hi Ed, sorry to bother you again, but since you have checked in your changes, it can't find my keys again. It finds nothing.

I ran trufflehog from my desktop on my repo and it found lots of stuff, with no special arguments: trufflehog https://github.com/shehackspurple/dotnetcore-webapp

I made a video of the whole thing, so you can see my troubleshooting:
https://www.twitch.tv/videos/565679444

I'm confused as to why it worked when it was in a branch, you merged it to master, then it's not working again. Did anything else change besides that and the update to the readme?

Image fails because of invalid requirements

gitpython-developers/GitPython#984

rebuilt from not pinned version now causes failing action:
https://github.com/crim-ca/weaver/pull/80/checks?check_run_id=451203427

Action always passes without detecting secrets

When I try to use this action, it completes without error but does not find any secrets (regex or high entropy).

I have:

Ensured I'm using checkout@v2 with fetch-depth: "0" before the trufflehog step.
Confirmed with a ls -laR that the git repo is indeed checked out in the PWD.
Explicitly specifying --rules, --entropy --max_depth.
Running trufflehog locally in the same git repo and it works as expected (detects secrets).

Configuration:

  TruffleHog:
    runs-on: [self-hosted]
    steps:
    - uses: actions/checkout@v2
      with:
        fetch-depth: "0"
    - run: ls -laR
    - uses: edplato/trufflehog-actions-scan@master
      with:
        scanArguments: "--regex --entropy=true --max_depth=1000 --rules regexes.json"

Output from Action with a repo that contains some fake secrets:

Note that it doesn't look like the action is even running trufflehog

Example output from running Trufflehog locally with the same repo:

trufflehog --regex --entropy=false --max_depth=1000 --rules regexes.json file://$(pwd)

-----BEGIN EC PRIVATE KEY-----
~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~
Reason: PGP private key block
Date: 2021-12-09 10:43:49
Hash: 87b860ae90f535ebc11646e9753be23894844966
Filepath: .gitleaks.toml
Branch: origin/secrets_scanning
Commit: add mvp of trufflehog secrets scanning

-----BEGIN PGP PRIVATE KEY BLOCK-----
~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~
Reason: Generic Secret
Date: 2021-12-09 10:43:49
Hash: 87b860ae90f535ebc11646e9753be23894844966
Filepath: fakesecretitems/testbadcode.py
Branch: origin/secrets_scanning
Commit: add mvp of trufflehog secrets scanning

secret : "lolasifidsaveapasswordinplaintextbro"