-
Notifications
You must be signed in to change notification settings - Fork 29
chore: add trufflehog scan #1238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft
isaiah-grafana
wants to merge
92
commits into
main
Choose a base branch
from
pr/trufflehog-scan
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+400
−23
Draft
Changes from 19 commits
Commits
Show all changes
92 commits
Select commit
Hold shift + click to select a range
214c9d9
Test
isaiah-grafana 2929715
Testing
isaiah-grafana 3eb0c48
Testing
isaiah-grafana af08945
Testing
isaiah-grafana 7a37b3a
Testing
isaiah-grafana 32d4273
Testing
isaiah-grafana b45a2ff
Updated
isaiah-grafana ae40386
test
isaiah-grafana 9661385
Added
isaiah-grafana 7d2e829
Added this for testing
isaiah-grafana 10f65ba
Interesting
isaiah-grafana 564b9e9
Testing
isaiah-grafana d177777
Testing
isaiah-grafana 5c3586e
Made updates
isaiah-grafana 4c01a66
Testing this
isaiah-grafana 7a9d410
Testing this
isaiah-grafana deaf6f2
Made updates
isaiah-grafana feb1163
Testing
isaiah-grafana 331c613
Findings
isaiah-grafana dba73c1
Updated to pinned commit
isaiah-grafana 22663e8
Fixed zizmor findings
isaiah-grafana f7944fd
chore: fix Prettier formatting
isaiah-grafana 24cda0e
Fixes pre-commit failure
isaiah-grafana 69a14be
Add custom Grafana secret patterns for Trufflehog
isaiah-grafana db92981
Update Trufflehog workflow to use custom Grafana patterns
isaiah-grafana f5b00df
Fix Trufflehog configuration to use proper YAML format
isaiah-grafana 1d6b70c
Embed Trufflehog config directly in workflow
isaiah-grafana ae5e4ed
Fix YAML syntax in embedded Trufflehog config
isaiah-grafana 1fc88c7
Clean up YAML configuration to fix all syntax errors
isaiah-grafana 58a654c
Replace YAML config with dual-approach scanning
isaiah-grafana cdd3692
Fix exclude-paths flag syntax for Trufflehog
isaiah-grafana e86fc66
Fix exclude-paths to use single file instead of repeated flags
isaiah-grafana 91ced38
Add detailed secret detection output with file locations
isaiah-grafana 901ef59
Prevent workflow from scanning its own output files
isaiah-grafana 16bc291
Fix false positive in Grafana secrets detection
isaiah-grafana 7d949be
Clean up workflow: consolidate config and simplify logic
isaiah-grafana 3798aa3
Remove redundant and useless workflow steps
isaiah-grafana ccab375
Fix code injection vulnerability flagged by zizmor
isaiah-grafana 6a50641
Fix pre-commit failures: shellcheck and prettier
isaiah-grafana a7ed881
Remove leftover trufflehog-config.yaml causing prettier failures
isaiah-grafana 81033c7
Fix trailing whitespace and shell redirection issues
isaiah-grafana 12ccf79
Fix all remaining shellcheck issues in workflow
isaiah-grafana ab8e17e
Fix SC2086 warnings by using arrays for grep arguments
isaiah-grafana d8d73ac
chore: fix formatting and remove trailing whitespace
isaiah-grafana a99d2ec
Improve exclusions to prevent scanning workflow output files
isaiah-grafana 4435f48
FINAL FIX: Remove condition blocking PR comments on push events
isaiah-grafana 31bcb44
Fix: prettier formatting and trailing whitespace
isaiah-grafana 3ca5488
Fix Trufflehog detection: add aggressive scanning and debugging
isaiah-grafana 2526eb9
CRITICAL FIX: Move PR commenting before workflow failure
isaiah-grafana b45612d
Update TruffleHog workflow for comprehensive repository scanning
isaiah-grafana c799b33
Fix linting issues in TruffleHog workflow
isaiah-grafana f95824b
Remove trailing whitespace from TruffleHog workflow
isaiah-grafana 6f0834e
SECURITY: Add comprehensive GitHub token detection patterns
isaiah-grafana bf47997
Focus TruffleHog workflow on open source + Grafana detectors only
isaiah-grafana 5cab549
Optimize TruffleHog reusable workflow for better performance
isaiah-grafana b7e2662
Add comprehensive file scanning and git history scanning
isaiah-grafana 7e02f45
Final speed optimizations for TruffleHog reusable workflow
isaiah-grafana 313243e
Add unified scan mode for compressed TruffleHog checks
isaiah-grafana a70accc
Refine reusable TruffleHog workflow
isaiah-grafana 96d36ac
feat: add reusable TruffleHog secret scanning workflow
isaiah-grafana ea6412c
fix: resolve YAML syntax and formatting issues
isaiah-grafana 10528b5
feat: secure reusable TruffleHog secret scanning workflow
isaiah-grafana c53d707
security: disable credential persistence in checkout
isaiah-grafana 5d4712c
fix: resolve shellcheck and formatting issues
isaiah-grafana 4202301
fix: apply prettier formatting fixes
isaiah-grafana bbd1137
fix: improve custom detector patterns for better secret detection
isaiah-grafana 50634fa
fix: resolve JSON merging error for TruffleHog results
isaiah-grafana 1317d18
debug: add extensive debugging for TruffleHog detection issues
isaiah-grafana 47058be
Fix TruffleHog custom detector configuration format
isaiah-grafana b7d9c7d
Fix linting issues in TruffleHog workflow
isaiah-grafana bf3bdfc
Remove trailing whitespace from TruffleHog workflow
isaiah-grafana 745a83a
Add comment dismissal for TruffleHog PR comments
isaiah-grafana 648701b
Fix template injection security vulnerability
isaiah-grafana 54d1218
Implement zizmor-style comment dismissal for TruffleHog
isaiah-grafana d119db1
Remove trailing whitespace from TruffleHog workflow
isaiah-grafana 56c9cc2
Fix GitHub Actions multiline output format
isaiah-grafana e998c00
Remove trailing whitespace from TruffleHog workflow
isaiah-grafana b863fce
Fix comment dismissal conditions to match zizmor pattern
isaiah-grafana 9c4eab1
Implement comprehensive TruffleHog comment hiding
isaiah-grafana d694121
Fix template injection in comprehensive comment hiding
isaiah-grafana 75d81fb
Revert to zizmor-style comment hiding pattern
isaiah-grafana d50ad4d
Improve custom detector comment description
isaiah-grafana 12b7518
Fix Grafana token regex pattern to match actual token length
isaiah-grafana 699b031
Remove custom Grafana detectors - use TruffleHog's built-in detectors
isaiah-grafana 51bbd78
Add simple custom Grafana detector for testing
isaiah-grafana bb7ce0e
Remove custom detector - rely on TruffleHog built-in GrafanaServiceAc…
isaiah-grafana 19963de
Improve TruffleHog workflow performance and reliability
isaiah-grafana b4fdba9
Clean up TruffleHog output formatting
isaiah-grafana e50cd7d
Fix multiple TruffleHog checks issue
isaiah-grafana cca9342
Add TruffleHog scan results artifact
isaiah-grafana 1c36cba
Fix template injection vulnerability in artifact creation
isaiah-grafana b612b91
Fix shellcheck warning: remove unused SEVERITY variable
isaiah-grafana File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Some comments aren't visible on the classic Files Changed page.
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,100 @@ | ||
| name: Reusable Trufflehog Secret Scan | ||
|
|
||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| fail-on-secrets: | ||
| description: 'Fail the workflow if secrets are found' | ||
| required: false | ||
| default: 'true' | ||
| type: string | ||
| extra_args: | ||
| description: 'Extra arguments to pass to Trufflehog' | ||
| required: false | ||
| default: '' | ||
| type: string | ||
|
|
||
| jobs: | ||
| trufflehog-scan: | ||
| runs-on: ubuntu-x64-small | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Remove old Trufflehog (if present) | ||
| run: | | ||
| pip uninstall -y truffleHog || true | ||
| pip uninstall -y trufflehog || true | ||
|
|
||
| - name: Install Trufflehog v3+ | ||
| run: | | ||
| curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin | ||
| trufflehog --version | ||
|
|
||
| - name: Run Trufflehog | ||
| run: | | ||
| trufflehog filesystem . \ | ||
| --json \ | ||
| --no-update \ | ||
| --results=verified,unknown \ | ||
| --fail \ | ||
| --exclude-paths=.git,.github,node_modules,venv,env \ | ||
| ${{ inputs.extra_args }} \ | ||
|
||
| > trufflehog-results.json || true | ||
|
|
||
| - name: Debug Trufflehog output | ||
| run: cat trufflehog-results.json || echo "No trufflehog-results.json found" | ||
|
|
||
| - name: Comment on PR with all Trufflehog findings (full JSON, clean format) | ||
| if: ${{ github.event.pull_request != null }} | ||
| uses: actions/github-script@v7 | ||
| with: | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
| script: | | ||
| const fs = require('fs'); | ||
| let findings = []; | ||
| try { | ||
| const lines = fs.readFileSync('trufflehog-results.json', 'utf8') | ||
| .split('\n') | ||
| .filter(Boolean); | ||
| for (const line of lines) { | ||
| let finding; | ||
| try { | ||
| finding = JSON.parse(line); | ||
| } catch (e) { | ||
| continue; | ||
| } | ||
| if (finding.Raw) { | ||
| findings.push( | ||
| [ | ||
| '---', | ||
| '**Trufflehog Finding:**', | ||
| '', | ||
| '```json', | ||
| JSON.stringify(finding, null, 2), | ||
| '```', | ||
| '' | ||
| ].join('\n') | ||
| ); | ||
| } | ||
| } | ||
| } catch (e) { | ||
| findings = ['(Could not parse Trufflehog report)']; | ||
| } | ||
| const body = findings.length | ||
| ? `🚨 **Trufflehog found secrets in this PR!**\n\n${findings.join('\n')}` | ||
| : "✅ Trufflehog ran and no secrets were found."; | ||
| github.rest.issues.createComment({ | ||
| issue_number: context.payload.pull_request.number, | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| body | ||
| }); | ||
|
|
||
| - name: Fail if any secrets found | ||
| if: ${{ inputs.fail-on-secrets == 'true' && hashFiles('trufflehog-results.json') != '' }} | ||
| run: | | ||
| if grep -q '"Raw":' trufflehog-results.json; then | ||
| echo "Secrets found! Failing the workflow." | ||
| exit 1 | ||
| fi | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.