Create msdo-trufflehog.yml

Initial creation - pulled from secret-scanning.yml

Author: theangrytech-git

.github/workflows/msdo-trufflehog.yml

@@ -0,0 +1,103 @@
+name: trufflehog-secret-scanning
+
+on:
+  workflow_call:
+    secrets:
+      GH_TOKEN:
+        required: false
+  workflow_dispatch:
+
+jobs:
+  trufflehog-scan:
+    name: TruffleHog Secret Scan
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+      actions: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install TruffleHog
+        run: |
+          pip install trufflehog
+
+      - name: Run TruffleHog and generate JSON report
+        run: |
+          trufflehog filesystem --directory . --json > trufflehog-findings.json || true
+
+      - name: Convert TruffleHog findings to SARIF format
+        if: github.repository_visibility == 'public' && success()
+        run: |
+          pip install sarif-tools
+          python3 -c """
+          import json
+
+with open('trufflehog-findings.json') as f:
+  findings = json.load(f)
+
+  sarif = {
+'version': '2.1.0',
+  'runs': [{
+    'tool': {
+      'driver': {
+        'name': 'TruffleHog',
+        'informationUri': 'https://github.com/trufflesecurity/trufflehog',
+        'rules': []
+      }
+    },
+    'results': []
+  }]
+}
+
+seen_rules = set()
+
+for finding in findings:
+  reason = finding.get('reason', 'Secret detected')
+  rule_id = f"trufflehog-{reason.replace(' ', '-')[:64]}"
+  if rule_id not in seen_rules:
+    sarif['runs'][0]['tool']['driver']['rules'].append({
+      'id': rule_id,
+      'name': reason
+    })
+    seen_rules.add(rule_id)
+  sarif['runs'][0]['results'].append({
+    'ruleId': rule_id,
+    'level': 'warning',
+    'message': {'text': reason},
+    'locations': [{
+      'physicalLocation': {
+        'artifactLocation': {'uri': finding.get('path', '')},
+        'region': {'startLine': 1}
+      }
+    }]
+  })
+
+with open('trufflehog.sarif', 'w') as out:
+  json.dump(sarif, out)
+"""
+
+      - name: Upload TruffleHog SARIF to GitHub Code Scanning
+        if: github.repository_visibility == 'public' && success()
+        run: |
+          gzip -c trufflehog.sarif | base64 -w 0 > trufflehog.sarif.base64
+          encoded_sarif=$(cat trufflehog.sarif.base64)
+
+          curl -s -X POST \
+            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+            -H "Accept: application/vnd.github+json" \
+            -H "Content-Type: application/json" \
+            https://api.github.com/repos/${{ github.repository }}/code-scanning/sarifs \
+            -d @- <<EOF
+          {
+            "commit_sha": "${{ github.sha }}",
+            "ref": "${{ github.ref }}",
+            "sarif": "$encoded_sarif",
+            "checkout_uri": "https://github.com/${{ github.repository }}",
+            "tool_name": "TruffleHog"
+          }
+EOF