Skip to content

Warning

You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?

Trufflehog Actions Scan

Actions
Scan repository for secrets with basic trufflehog defaults in place for easy setup
v0.9h-beta
By edplato
Star (21)

Tags

 (2)
continuous-integrationsecurity

Trufflehog Actions Scan 🐽🔑

Scan recent commits in repository for secrets with basic trufflehog defaults in place for easy setup.

This action is intended as a Continuous Integration secret scan in an already "clean" repository. The default commit scan depth is the last 50 commits and can be adjusted using Custom Arguments (see below).

It is recommended to run a basic trufflehog scan on your entire repository prior to relying on this CI solution (Note: this can be done manually from the command line or by using this action with custom options "--regex --entropy=False").

Usage

workflow "Detect Secrets" {
  on = "push"
  resolves = ["edplato/trufflehog-actions-scan"]
}

action "edplato/trufflehog-actions-scan" {
  uses = "edplato/trufflehog-actions-scan@master"
}

Default trufflehog options for this tool include:

  • regex : Enable high signal regex checks

  • entropy disabled: Disabled entropy checks

  • max depth is 50: The max commit depth to go back when searching for secrets

For custom regex rules:

  • rules: Uses custom regexes.json
    • Note: this is similar to the default trufflehog version, however this regexes.json will catch some additional API keys including any key Encapsulation Boundary that ends in PRIVATE KEY----- or PRIVATE KEY BLOCK-----.

Edit your corresponding actions yml file or create a new one.

Basic

steps:
- uses: actions/checkout@master
- name: trufflehog-actions-scan
  uses: edplato/trufflehog-actions-scan@master

Custom Arguments

steps:
- uses: actions/checkout@master
- name: trufflehog-actions-scan
  uses: edplato/trufflehog-actions-scan@master
  with:
    scanArguments: "--regex --entropy=False --max_depth=5 --rules /regexes.json" # Add custom options here*

*if custom options argument string is used, it will overwrite default settings

Private GitHub Repository

Pass a GitHub access token to action to clone from a private GitHub repository. You can't use the default GITHUB_TOKEN as it doesn't have the permission to clone the repository.

steps:
- uses: actions/checkout@master
- name: trufflehog-actions-scan
  uses: edplato/trufflehog-actions-scan@master
  with:
    githubToken: ${{ secrets.GITHUB_CLONE_TOKEN }} # You have to create an access token manually

MIT License

Contributors (7)

@edplato@armaanshah96@nathankleyn@Fox32@cdagraca@JonGilmore
+ 1 contributors

Resources

Trufflehog Actions Scan is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.

About

Scan repository for secrets with basic trufflehog defaults in place for easy setup
v0.9h-beta
By edplato

Tags

 (2)
continuous-integrationsecurity

Contributors (7)

@edplato@armaanshah96@nathankleyn@Fox32@cdagraca@JonGilmore
+ 1 contributors

Resources

Trufflehog Actions Scan is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.