Added file from workflow

theangrytech-git · web-flow · commit 02822f708870 · 2025-03-31T18:09:40.000+01:00
Added trufflehog and gitleaks yml's to repo so they can be run separately if needed
diff --git a/msdo-gitleaks.yml b/msdo-gitleaks.yml
@@ -0,0 +1,78 @@
+name: msdo-gitleaks-secret-scanning
+
+on:
+  workflow_call:
+    inputs:
+      branch:
+        required: false
+        type: string
+        default: 'main'
+    secrets:
+      GH_TOKEN:
+        required: false
+
+jobs:
+  gitleaks-scan:
+    name: Gitleaks Secret Scan
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+      actions: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository manually
+        run: |
+          git clone https://github.com/${{ github.repository }} .
+          git checkout ${{ github.ref_name }}
+
+      - name: Fetch Gitleaks config from MSDO
+      #This section will need to be edited to match wherever the repo will be copied to
+        run: |
+          echo "Fetching .gitleaks.toml from MSDO repo..."
+          curl -sSL https://raw.githubusercontent.com/theangrytech-git/MSDO/main/gitleaks.toml -o .gitleaks.toml
+
+      - name: Run Gitleaks
+        run: |
+          echo "Downloading Gitleaks..."
+          curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz -o gitleaks.tar.gz
+          tar -xzf gitleaks.tar.gz gitleaks
+          chmod +x gitleaks
+          ./gitleaks version
+
+          echo " Running Gitleaks scan..."
+          ./gitleaks detect \
+          --source=. \
+          --config=.gitleaks.toml \
+          --report-format sarif \
+          --report-path=gitleaks.sarif \
+          --exit-code 0
+
+      - name: Upload SARIF to GitHub Code Scanning
+        if: github.repository_visibility == 'public'
+        run: |
+          echo "Compressing and uploading SARIF..."
+          if [ ! -f "gitleaks.sarif" ]; then
+            echo "SARIF file not found"
+            exit 0
+          fi
+
+          gzip -c gitleaks.sarif | base64 -w 0 > gitleaks.sarif.base64
+          encoded_sarif=$(cat gitleaks.sarif.base64)
+
+          curl -s -X POST \
+            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+            -H "Accept: application/vnd.github+json" \
+            -H "Content-Type: application/json" \
+            https://api.github.com/repos/${{ github.repository }}/code-scanning/sarifs \
+            -d @- <<EOF
+          {
+            "commit_sha": "${{ github.sha }}",
+            "ref": "${{ github.ref }}",
+            "sarif": "$encoded_sarif",
+            "checkout_uri": "https://github.com/${{ github.repository }}",
+            "tool_name": "Gitleaks"
+          }
+          EOF
diff --git a/msdo-trufflehog.yml b/msdo-trufflehog.yml
@@ -0,0 +1,133 @@
+name: trufflehog-secret-scanning
+
+on:
+  workflow_call:
+    secrets:
+      GH_TOKEN:
+        required: false
+  workflow_dispatch:
+
+jobs:
+  trufflehog-scan:
+    name: TruffleHog Secret Scan
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+      actions: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        run: |
+          git clone https://github.com/${{ github.repository }} .
+          git checkout ${{ github.ref_name }}
+
+      - name: Install jq (if needed)
+        run: sudo apt-get install -y jq
+
+      - name: Install TruffleHog (v3+ CLI)
+        run: |
+          echo "Fetching latest TruffleHog release asset for Linux..."
+
+          ASSET_URL=$(curl -s https://api.github.com/repos/trufflesecurity/trufflehog/releases/latest \
+            | jq -r '.assets[] | select(.name | test("linux_amd64.tar.gz$")) | .browser_download_url')
+
+          if [ -z "$ASSET_URL" ]; then
+            echo "Could not find Linux binary asset for TruffleHog. Exiting."
+            exit 1
+          fi
+
+          echo "Downloading from $ASSET_URL"
+          curl -sSL -o trufflehog.tar.gz "$ASSET_URL"
+          tar -xzf trufflehog.tar.gz
+          chmod +x trufflehog
+          file trufflehog
+          sudo mv trufflehog /usr/local/bin/
+          trufflehog --version
+
+      - name: Show files to be scanned
+        run: |
+          echo "Files that will be scanned:"
+          find . -type f \( -name "*.tf" -o -name "*.tfvars" -o -name "*.js" -o -name "*.jsx" -o -name "*.ts" -o -name "*.tsx" -o -name "*.py" -o -name "*.json" -o -name "*.yml" -o -name "*.yaml" -o -name "*.bicep" -o -name "*.cs" -o -name "*.csproj" \)
+
+      - name: Run TruffleHog and generate JSON report
+        run: |
+          echo "\.terraform\.lock\.hcl$" > exclude-paths.txt
+          trufflehog filesystem . \
+            --json \
+            -x exclude-paths.txt \
+            > trufflehog-findings.json || true
+
+      - name: Convert TruffleHog findings to SARIF format
+        if: github.repository_visibility == 'public'
+        run: |
+          echo "import json" > convert_to_sarif.py
+          echo "" >> convert_to_sarif.py
+          echo "try:" >> convert_to_sarif.py
+          echo "  with open('trufflehog-findings.json') as f:" >> convert_to_sarif.py
+          echo "    findings = [json.loads(line) for line in f if line.strip()]" >> convert_to_sarif.py
+          echo "except Exception as e:" >> convert_to_sarif.py
+          echo "  print('Failed to parse findings:', e)" >> convert_to_sarif.py
+          echo "  findings = []" >> convert_to_sarif.py
+          echo "" >> convert_to_sarif.py
+          echo "sarif = {" >> convert_to_sarif.py
+          echo "  'version': '2.1.0'," >> convert_to_sarif.py
+          echo "  'runs': [{" >> convert_to_sarif.py
+          echo "    'tool': {" >> convert_to_sarif.py
+          echo "      'driver': {" >> convert_to_sarif.py
+          echo "        'name': 'TruffleHog'," >> convert_to_sarif.py
+          echo "        'informationUri': 'https://github.com/trufflesecurity/trufflehog'," >> convert_to_sarif.py
+          echo "        'rules': []" >> convert_to_sarif.py
+          echo "      }" >> convert_to_sarif.py
+          echo "    }," >> convert_to_sarif.py
+          echo "    'results': []" >> convert_to_sarif.py
+          echo "  }]" >> convert_to_sarif.py
+          echo "}" >> convert_to_sarif.py
+          echo "" >> convert_to_sarif.py
+          echo "seen_rules = set()" >> convert_to_sarif.py
+          echo "" >> convert_to_sarif.py
+          echo "for finding in findings:" >> convert_to_sarif.py
+          echo "  reason = finding.get('reason', 'Secret detected')" >> convert_to_sarif.py
+          echo "  path = finding.get('path', '')" >> convert_to_sarif.py
+          echo "  line = finding.get('line', 1)" >> convert_to_sarif.py
+          echo "  strings_found = ', '.join(finding.get('stringsFound', []))" >> convert_to_sarif.py
+          echo "  rule_id = f'trufflehog-{reason.replace(\" \", \"-\")[:64]}'" >> convert_to_sarif.py
+          echo "  if rule_id not in seen_rules:" >> convert_to_sarif.py
+          echo "    sarif['runs'][0]['tool']['driver']['rules'].append({" >> convert_to_sarif.py
+          echo "      'id': rule_id," >> convert_to_sarif.py
+          echo "      'name': reason" >> convert_to_sarif.py
+          echo "    })" >> convert_to_sarif.py
+          echo "    seen_rules.add(rule_id)" >> convert_to_sarif.py
+          echo "  sarif['runs'][0]['results'].append({" >> convert_to_sarif.py
+          echo "    'ruleId': rule_id," >> convert_to_sarif.py
+          echo "    'level': 'warning'," >> convert_to_sarif.py
+          echo "    'message': {" >> convert_to_sarif.py
+          echo "      'text': f'{reason} in {path} at line {line}: {strings_found}'" >> convert_to_sarif.py
+          echo "    }," >> convert_to_sarif.py
+          echo "    'locations': [{" >> convert_to_sarif.py
+          echo "      'physicalLocation': {" >> convert_to_sarif.py
+          echo "        'artifactLocation': { 'uri': path }," >> convert_to_sarif.py
+          echo "        'region': { 'startLine': line }" >> convert_to_sarif.py
+          echo "      }" >> convert_to_sarif.py
+          echo "    }]" >> convert_to_sarif.py
+          echo "  })" >> convert_to_sarif.py
+          echo "" >> convert_to_sarif.py
+          echo "with open('trufflehog.sarif', 'w') as out:" >> convert_to_sarif.py
+          echo "  json.dump(sarif, out)" >> convert_to_sarif.py
+
+          python3 convert_to_sarif.py
+
+      - name: Upload TruffleHog SARIF to GitHub Code Scanning
+        if: github.repository_visibility == 'public'
+        run: |
+          gzip -c trufflehog.sarif | base64 -w 0 > trufflehog.sarif.base64
+          encoded_sarif=$(cat trufflehog.sarif.base64)
+
+          curl -s -X POST \
+            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+            -H "Accept: application/vnd.github+json" \
+            -H "Content-Type: application/json" \
+            https://api.github.com/repos/${{ github.repository }}/code-scanning/sarifs \
+            -d "{\"commit_sha\": \"${{ github.sha }}\",\"ref\": \"${{ github.ref }}\",\"sarif\": \"$encoded_sarif\",\"checkout_uri\": \"https://github.com/${{ github.repository }}\",\"tool_name\": \"TruffleHog\"}"
