Skip to content

Commit 1823166

Browse files
theangrytech-gittheangrytech-git
authored
Update msdo-trufflehog.yml
Testing Python SARIF converter using line-by-line echo statements to fix issues with EOF and formatting problems within python
1 parent 9399c81 commit 1823166

File tree

1 file changed

+54
-58
lines changed

1 file changed

+54
-58
lines changed

.github/workflows/msdo-trufflehog.yml

Lines changed: 54 additions & 58 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,9 @@ jobs:
2020

2121
steps:
2222
- name: Checkout repository
23-
uses: actions/checkout@v4
23+
run: |
24+
git clone https://github.com/${{ github.repository }} .
25+
git checkout ${{ github.ref_name }}
2426
2527
- name: Install TruffleHog and SARIF tools
2628
run: |
@@ -31,56 +33,54 @@ jobs:
3133
trufflehog filesystem --directory . --json > trufflehog-findings.json || true
3234
3335
- name: Convert TruffleHog findings to SARIF format
36+
if: github.repository_visibility == 'public'
3437
run: |
35-
echo "${{ steps.convert_script.outputs.script }}" > convert_to_sarif.py
36-
python3 convert_to_sarif.py
37-
38-
env:
39-
script: |
40-
import json
41-
42-
with open('trufflehog-findings.json') as f:
43-
findings = json.load(f)
44-
45-
sarif = {
46-
'version': '2.1.0',
47-
'runs': [{
48-
'tool': {
49-
'driver': {
50-
'name': 'TruffleHog',
51-
'informationUri': 'https://github.com/trufflesecurity/trufflehog',
52-
'rules': []
53-
}
54-
},
55-
'results': []
56-
}]
57-
}
38+
echo "import json" > convert_to_sarif.py
39+
echo "" >> convert_to_sarif.py
40+
echo "with open('trufflehog-findings.json') as f:" >> convert_to_sarif.py
41+
echo " findings = json.load(f)" >> convert_to_sarif.py
42+
echo "" >> convert_to_sarif.py
43+
echo "sarif = {" >> convert_to_sarif.py
44+
echo " 'version': '2.1.0'," >> convert_to_sarif.py
45+
echo " 'runs': [{" >> convert_to_sarif.py
46+
echo " 'tool': {" >> convert_to_sarif.py
47+
echo " 'driver': {" >> convert_to_sarif.py
48+
echo " 'name': 'TruffleHog'," >> convert_to_sarif.py
49+
echo " 'informationUri': 'https://github.com/trufflesecurity/trufflehog'," >> convert_to_sarif.py
50+
echo " 'rules': []" >> convert_to_sarif.py
51+
echo " }" >> convert_to_sarif.py
52+
echo " }," >> convert_to_sarif.py
53+
echo " 'results': []" >> convert_to_sarif.py
54+
echo " }]" >> convert_to_sarif.py
55+
echo "}" >> convert_to_sarif.py
56+
echo "" >> convert_to_sarif.py
57+
echo "seen_rules = set()" >> convert_to_sarif.py
58+
echo "" >> convert_to_sarif.py
59+
echo "for finding in findings:" >> convert_to_sarif.py
60+
echo " reason = finding.get('reason', 'Secret detected')" >> convert_to_sarif.py
61+
echo " rule_id = f\"trufflehog-{reason.replace(' ', '-')[:64]}\"" >> convert_to_sarif.py
62+
echo " if rule_id not in seen_rules:" >> convert_to_sarif.py
63+
echo " sarif['runs'][0]['tool']['driver']['rules'].append({" >> convert_to_sarif.py
64+
echo " 'id': rule_id," >> convert_to_sarif.py
65+
echo " 'name': reason" >> convert_to_sarif.py
66+
echo " })" >> convert_to_sarif.py
67+
echo " seen_rules.add(rule_id)" >> convert_to_sarif.py
68+
echo " sarif['runs'][0]['results'].append({" >> convert_to_sarif.py
69+
echo " 'ruleId': rule_id," >> convert_to_sarif.py
70+
echo " 'level': 'warning'," >> convert_to_sarif.py
71+
echo " 'message': {'text': reason}," >> convert_to_sarif.py
72+
echo " 'locations': [{" >> convert_to_sarif.py
73+
echo " 'physicalLocation': {" >> convert_to_sarif.py
74+
echo " 'artifactLocation': {'uri': finding.get('path', '')}," >> convert_to_sarif.py
75+
echo " 'region': {'startLine': 1}" >> convert_to_sarif.py
76+
echo " }" >> convert_to_sarif.py
77+
echo " }]" >> convert_to_sarif.py
78+
echo " })" >> convert_to_sarif.py
79+
echo "" >> convert_to_sarif.py
80+
echo "with open('trufflehog.sarif', 'w') as out:" >> convert_to_sarif.py
81+
echo " json.dump(sarif, out)" >> convert_to_sarif.py
5882
59-
seen_rules = set()
60-
61-
for finding in findings:
62-
reason = finding.get('reason', 'Secret detected')
63-
rule_id = f"trufflehog-{reason.replace(' ', '-')[:64]}"
64-
if rule_id not in seen_rules:
65-
sarif['runs'][0]['tool']['driver']['rules'].append({
66-
'id': rule_id,
67-
'name': reason
68-
})
69-
seen_rules.add(rule_id)
70-
sarif['runs'][0]['results'].append({
71-
'ruleId': rule_id,
72-
'level': 'warning',
73-
'message': {'text': reason},
74-
'locations': [{
75-
'physicalLocation': {
76-
'artifactLocation': {'uri': finding.get('path', '')},
77-
'region': {'startLine': 1}
78-
}
79-
}]
80-
})
81-
82-
with open('trufflehog.sarif', 'w') as out:
83-
json.dump(sarif, out)
83+
python3 convert_to_sarif.py
8484
8585
- name: Upload TruffleHog SARIF to GitHub Code Scanning
8686
if: github.repository_visibility == 'public'
@@ -93,12 +93,8 @@ jobs:
9393
-H "Accept: application/vnd.github+json" \
9494
-H "Content-Type: application/json" \
9595
https://api.github.com/repos/${{ github.repository }}/code-scanning/sarifs \
96-
-d @- <<EOF
97-
{
98-
"commit_sha": "${{ github.sha }}",
99-
"ref": "${{ github.ref }}",
100-
"sarif": "$encoded_sarif",
101-
"checkout_uri": "https://github.com/${{ github.repository }}",
102-
"tool_name": "TruffleHog"
103-
}
104-
EOF
96+
-d "{\"commit_sha\": \"${{ github.sha }}\",\"ref\": \"${{ github.ref }}\",\"sarif\": \"$encoded_sarif\",\"checkout_uri\": \"https://github.com/${{ github.repository }}\",\"tool_name\": \"TruffleHog\"}"
97+
98+
-H "Content-Type: application/json" \
99+
https://api.github.com/repos/${{ github.repository }}/code-scanning/sarifs \
100+
-d "{\n \"commit_sha\": \"${{ github.sha }}\",\n \"ref\": \"${{ github.ref }}\",\n \"sarif\": \"$encoded_sarif\",\n \"checkout_uri\": \"https://github.com/${{ github.repository }}\",\n \"tool_name\": \"TruffleHog\"\n }"

0 commit comments

Comments
 (0)