@@ -22,19 +22,18 @@ jobs:
2222 - name : Checkout repository
2323 uses : actions/checkout@v4
2424
25- - name : Install TruffleHog
25+ - name : Install TruffleHog and SARIF tools
2626 run : |
27- pip install trufflehog
27+ pip install trufflehog sarif-tools
2828
2929name : Run TruffleHog and generate JSON report
3030 run : |
3131 trufflehog filesystem --directory . --json > trufflehog-findings.json || true
3232
3333name : Convert TruffleHog findings to SARIF format
34- if : github.repository_visibility == 'public' && success()
34+ if : github.repository_visibility == 'public'
3535 run : |
36- pip install sarif-tools
37- cat <<EOF > convert_to_sarif.py
36+ cat << 'EOF' > convert_to_sarif.py
3837import json
3938
4039with open('trufflehog-findings.json') as f :
8382 python3 convert_to_sarif.py
8483
8584 - name : Upload TruffleHog SARIF to GitHub Code Scanning
86- if : github.repository_visibility == 'public' && success()
85+ if : github.repository_visibility == 'public'
8786 run : |
8887 gzip -c trufflehog.sarif | base64 -w 0 > trufflehog.sarif.base64
8988 encoded_sarif=$(cat trufflehog.sarif.base64)
9089
91- echo '{
92- "commit_sha": "'"${{ github.sha }}"'",
93- "ref": "'"${{ github.ref }}"'",
94- "sarif": "'$encoded_sarif'",
95- "checkout_uri": "https://github.com/${{ github.repository }}",
96- "tool_name": "TruffleHog"
97- }' | curl -s -X POST \
90+ curl -s -X POST \
9891 -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
9992 -H "Accept: application/vnd.github+json" \
10093 -H "Content-Type: application/json" \
101- https://api.github.com/repos/${{ github.repository }}/code-scanning/sarifs
94+ https://api.github.com/repos/${{ github.repository }}/code-scanning/sarifs \
95+ -d @- <<EOF
96+ {
97+ " commit_sha " " ${{ github.sha }}" ,
98+ " ref " " ${{ github.ref }}" ,
99+ " sarif " " $encoded_sarif" ,
100+ " checkout_uri " " https://github.com/${{ github.repository }}" ,
101+ " tool_name " " TruffleHog"
102+ }
103+ EOF
0 commit comments