Skip to content
Secret Scan

build(deps): bump getsentry/github-workflows from b6d9e26d1c5bb01362670e13288b2284bab8cbf9 to c802283cd9075b7a2b7a32655019c21c21676e34 #9370

Sign in to view logs

build(deps): bump getsentry/github-workflows from b6d9e26d1c5bb01362670e13288b2284bab8cbf9 to c802283cd9075b7a2b7a32655019c21c21676e34

build(deps): bump getsentry/github-workflows from b6d9e26d1c5bb01362670e13288b2284bab8cbf9 to c802283cd9075b7a2b7a32655019c21c21676e34 #9370

Workflow file for this run

getsentry/.github/.github/workflows/secret-scan.yml at 27e4914d69656017b5a44ddcd451ffee9e250fe2
name: Secret Scan
on: [pull_request, merge_group]
jobs:
secret-scan:
name: Secret Scan
runs-on: ubuntu-latest
permissions:
contents: "read"
outputs:
latest_release: ${{ steps.trufflehog_release.outputs.latest_release }}
latest_tag_name: ${{ steps.trufflehog_release.outputs.latest_tag_name }}
steps:
- name: Checkout Code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Cosign
# v4 of the action install v3 of the CLI. v4 of the CLI will deprecate some features so be aware.
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
- name: Pin Trufflehog to a known good release
id: trufflehog_release
shell: bash
env:
GH_TOKEN: ${{ github.token }}
run: |
LATEST_TAG_NAME=$(gh api repos/trufflesecurity/trufflehog/releases --jq '.[1].tag_name')
if [[ -z "$LATEST_TAG_NAME" || "$LATEST_TAG_NAME" == "null" ]]; then
echo "::error::Failed to fetch TruffleHog release info"
exit 1
fi
echo "Using TruffleHog version: $LATEST_TAG_NAME"
echo "latest_tag_name=$LATEST_TAG_NAME" >> "$GITHUB_OUTPUT"
echo "latest_release=${LATEST_TAG_NAME#v}" >> "$GITHUB_OUTPUT"
- name: Download and verify TruffleHog release
run: |
curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt
curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem
curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig
curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_linux_amd64.tar.gz
cosign verify-blob trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt \
--certificate trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem \
--signature trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig \
--certificate-identity-regexp 'https://github\.com/trufflesecurity/trufflehog/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
sha256sum --ignore-missing -c trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt
- name: Extract TruffleHog
run: |
tar xzf trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_linux_amd64.tar.gz -C /usr/local/bin
chmod +x /usr/local/bin/trufflehog
- name: Run TruffleHog scan
continue-on-error: true
id: scan
run: |
if [ -e .secret_scan_ignore ]; then
trufflehog git file://. --only-verified --github-actions --fail --exclude-paths=.secret_scan_ignore --exclude-detectors="datadogtoken"
else
trufflehog git file://. --only-verified --github-actions --fail --exclude-detectors="datadogtoken"
fi
- name: Send Alert to SIEM
id: alert
run: |
if [[ -n "${{vars.SECRET_SCAN_SIEM_WEBHOOK_URL}}" ]]; then
curl "${{vars.SECRET_SCAN_SIEM_WEBHOOK_URL}}" \
--data '{"event":"github_secret_scanning", "status":"${{steps.scan.outcome}}", "createdAt":"${{ github.event.pull_request.created_at }}", "repo":"${{ github.repository }}","pull_request":"https://github.com/${{ github.repository }}/pull/${{ github.event.pull_request.number }}","actor":"${{ github.event.pull_request.user.login }}"}'
fi
- name: Fail workflow if secret detected
if: steps.scan.outcome != 'success'
run: exit 1