@@ -24,13 +24,41 @@ jobs:
2424 git clone https://github.com/${{ github.repository }} .
2525 git checkout ${{ github.ref_name }}
2626
27- name : Install TruffleHog
27+ name : Install jq (if needed)
28+ run : sudo apt-get install -y jq
29+
30+ - name : Install TruffleHog (v3+ CLI)
2831 run : |
29- pip install trufflehog
32+ echo "Fetching latest TruffleHog release asset for Linux..."
33+
34+ ASSET_URL=$(curl -s https://api.github.com/repos/trufflesecurity/trufflehog/releases/latest \
35+ | jq -r '.assets[] | select(.name | test("linux_amd64.tar.gz$")) | .browser_download_url')
36+
37+ if [ -z "$ASSET_URL" ]; then
38+ echo "Could not find Linux binary asset for TruffleHog. Exiting."
39+ exit 1
40+ fi
41+
42+ echo "Downloading from $ASSET_URL"
43+ curl -sSL -o trufflehog.tar.gz "$ASSET_URL"
44+ tar -xzf trufflehog.tar.gz
45+ chmod +x trufflehog
46+ file trufflehog
47+ sudo mv trufflehog /usr/local/bin/
48+ trufflehog --version
49+
50+ name : Show files to be scanned
51+ run : |
52+ echo "Files that will be scanned:"
53+ find . -type f \( -name "*.tf" -o -name "*.tfvars" -o -name "*.js" -o -name "*.jsx" -o -name "*.ts" -o -name "*.tsx" -o -name "*.py" -o -name "*.json" -o -name "*.yml" -o -name "*.yaml" -o -name "*.bicep" -o -name "*.cs" -o -name "*.csproj" \)
3054
3155name : Run TruffleHog and generate JSON report
3256 run : |
33- trufflehog filesystem --directory . --json > trufflehog-findings.json || true
57+ echo "\.terraform\.lock\.hcl$" > exclude-paths.txt
58+ trufflehog filesystem . \
59+ --json \
60+ -x exclude-paths.txt \
61+ > trufflehog-findings.json || true
3462
3563name : Convert TruffleHog findings to SARIF format
3664 if : github.repository_visibility == 'public'
3967 echo "" >> convert_to_sarif.py
4068 echo "try:" >> convert_to_sarif.py
4169 echo " with open('trufflehog-findings.json') as f:" >> convert_to_sarif.py
42- echo " findings = json.load(f) " >> convert_to_sarif.py
70+ echo " findings = [ json.loads(line) for line in f if line.strip()] " >> convert_to_sarif.py
4371 echo "except Exception as e:" >> convert_to_sarif.py
4472 echo " print('Failed to parse findings:', e)" >> convert_to_sarif.py
4573 echo " findings = []" >> convert_to_sarif.py
6290 echo "" >> convert_to_sarif.py
6391 echo "for finding in findings:" >> convert_to_sarif.py
6492 echo " reason = finding.get('reason', 'Secret detected')" >> convert_to_sarif.py
65- echo " rule_id = f\"trufflehog-{reason.replace(' ', '-')[:64]}\"" >> convert_to_sarif.py
93+ echo " path = finding.get('path', '')" >> convert_to_sarif.py
94+ echo " line = finding.get('line', 1)" >> convert_to_sarif.py
95+ echo " strings_found = ', '.join(finding.get('stringsFound', []))" >> convert_to_sarif.py
96+ echo " rule_id = f'trufflehog-{reason.replace(\" \", \"-\")[:64]}'" >> convert_to_sarif.py
6697 echo " if rule_id not in seen_rules:" >> convert_to_sarif.py
6798 echo " sarif['runs'][0]['tool']['driver']['rules'].append({" >> convert_to_sarif.py
6899 echo " 'id': rule_id," >> convert_to_sarif.py
@@ -72,11 +103,13 @@ jobs:
72103 echo " sarif['runs'][0]['results'].append({" >> convert_to_sarif.py
73104 echo " 'ruleId': rule_id," >> convert_to_sarif.py
74105 echo " 'level': 'warning'," >> convert_to_sarif.py
75- echo " 'message': {'text': reason}," >> convert_to_sarif.py
106+ echo " 'message': {" >> convert_to_sarif.py
107+ echo " 'text': f'{reason} in {path} at line {line}: {strings_found}'" >> convert_to_sarif.py
108+ echo " }," >> convert_to_sarif.py
76109 echo " 'locations': [{" >> convert_to_sarif.py
77110 echo " 'physicalLocation': {" >> convert_to_sarif.py
78- echo " 'artifactLocation': {'uri': finding.get(' path', '') }," >> convert_to_sarif.py
79- echo " 'region': {'startLine': 1 }" >> convert_to_sarif.py
111+ echo " 'artifactLocation': { 'uri': path }," >> convert_to_sarif.py
112+ echo " 'region': { 'startLine': line }" >> convert_to_sarif.py
80113 echo " }" >> convert_to_sarif.py
81114 echo " }]" >> convert_to_sarif.py
82115 echo " })" >> convert_to_sarif.py
0 commit comments