Sub-workflow versioning feature #317
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # trufflehog.yml | |
| # from https://github.com/trufflesecurity/trufflehog & https://github.com/trufflesecurity/trufflehog/pkgs/container/trufflehog | |
| name: Trufflehog secret scan | |
| on: | |
| push: | |
| pull_request: | |
| workflow_call: | |
| inputs: | |
| github-event-name: | |
| description: 'GitHub event name (pass github.event_name from calling workflow for PR comment detection)' | |
| required: false | |
| type: string | |
| default: '' | |
| github-branch-name: | |
| description: 'GitHub branch name (pass github.ref_name from calling workflow for branch-specific logic)' | |
| required: false | |
| type: string | |
| default: '' | |
| fail-trufflehog-on-secrets-found: | |
| description: 'Fail the pipeline if Trufflehog finds verified secrets' | |
| required: false | |
| type: boolean | |
| default: true | |
| jobs: | |
| Trufflehog: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup git refs for PR scan | |
| if: ${{ inputs.github-event-name == 'pull_request' }} | |
| run: | | |
| git fetch origin main | |
| git branch main origin/main | |
| - name: TruffleHog Full secret scan | |
| id: trufflehog-full-scan | |
| if: ${{ inputs.github-event-name != 'pull_request' }} | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| continue-on-error: false | |
| - name: TruffleHog PR secret scan | |
| id: trufflehog-pr-scan | |
| if: ${{ inputs.github-event-name == 'pull_request' }} | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| base: main | |
| head: HEAD | |
| continue-on-error: false | |
| # - name: Check results and fail if secrets found | |
| # if: ${{ always() && inputs.fail-trufflehog-on-secrets-found == true }} | |
| # run: | | |
| # # Check if TruffleHog step failed (which means secrets were found) | |
| # FULL_SCAN_RESULT="${{ steps.trufflehog-full-scan.outcome }}" | |
| # PR_SCAN_RESULT="${{ steps.trufflehog-pr-scan.outcome }}" | |
| # if [ "$FULL_SCAN_RESULT" == "failure" ] || [ "$PR_SCAN_RESULT" == "failure" ]; then | |
| # echo "" | |
| # echo "============================================" | |
| # echo "❌ Trufflehog Secret Scan Failed" | |
| # echo "============================================" | |
| # exit 1 | |
| # else | |
| # echo "✅ No secrets found" | |
| # fi | |
| # --only-verified --fail --github-actions --results=verified,unknown --branch dev | |
| # TODO: use the GH_TOKEN --org=progress --token=ghp_xxxxx | |
| # TODO: if this is run on ad hoc workflow, we will scan all branches (need to pass in selected branch) | |
| # TODO: store the output somewhere | |
| # may have to run it as command line: | |
| # trufflehog --json <target_directory> > results/trufflehog_output.json | |
| # or try to capture the output | |
| # - name: Write output to file | |
| # run: echo "${{ steps.<previous_step_id>.outputs.<output_name> }}" > output.txt | |
| # - name: Upload test coverage artifact | |
| # uses: actions/upload-artifact@v4 | |
| # with: | |
| # name: trufflehog-output.json | |
| # path: results/trufflehog_output.json |