build(deps): bump getsentry/github-workflows from c802283cd9075b7a2b7a32655019c21c21676e34 to 4013fc6e1aeb1be1f9d3b4d232624f0ec1afa613 #9741
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secret Scan | |
| on: [pull_request, merge_group] | |
| jobs: | |
| secret-scan: | |
| name: Secret Scan | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: "read" | |
| outputs: | |
| latest_release: ${{ steps.trufflehog_release.outputs.latest_release }} | |
| latest_tag_name: ${{ steps.trufflehog_release.outputs.latest_tag_name }} | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install Cosign | |
| # v4 of the action install v3 of the CLI. v4 of the CLI will deprecate some features so be aware. | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| - name: Pin Trufflehog to a known good release | |
| id: trufflehog_release | |
| shell: bash | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| RELEASES=$(gh api repos/trufflesecurity/trufflehog/releases --jq '.[1:3][].tag_name') | |
| LATEST_TAG_NAME="" | |
| for tag in $RELEASES; do | |
| version="${tag#v}" | |
| url="https://github.com/trufflesecurity/trufflehog/releases/download/${tag}/trufflehog_${version}_linux_amd64.tar.gz" | |
| if curl --head --fail --silent --show-error --retry 2 --retry-delay 3 --retry-all-errors "$url" > /dev/null 2>&1; then | |
| LATEST_TAG_NAME="$tag" | |
| break | |
| fi | |
| echo "::warning::Release ${tag} assets unavailable, trying next" | |
| done | |
| if [[ -z "$LATEST_TAG_NAME" ]]; then | |
| echo "::error::No usable TruffleHog release found" | |
| exit 1 | |
| fi | |
| echo "Using TruffleHog version: $LATEST_TAG_NAME" | |
| echo "latest_tag_name=$LATEST_TAG_NAME" >> "$GITHUB_OUTPUT" | |
| echo "latest_release=${LATEST_TAG_NAME#v}" >> "$GITHUB_OUTPUT" | |
| - name: Download and verify TruffleHog release | |
| run: | | |
| curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt | |
| curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem | |
| curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig | |
| curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_linux_amd64.tar.gz | |
| cosign verify-blob trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt \ | |
| --certificate trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem \ | |
| --signature trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig \ | |
| --certificate-identity-regexp 'https://github\.com/trufflesecurity/trufflehog/\.github/workflows/.+' \ | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | |
| sha256sum --ignore-missing -c trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt | |
| - name: Extract TruffleHog | |
| run: | | |
| tar xzf trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_linux_amd64.tar.gz -C /usr/local/bin | |
| chmod +x /usr/local/bin/trufflehog | |
| - name: Run TruffleHog scan | |
| continue-on-error: true | |
| id: scan | |
| run: | | |
| if [ -e .secret_scan_ignore ]; then | |
| trufflehog git file://. --only-verified --github-actions --fail --exclude-paths=.secret_scan_ignore --exclude-detectors="datadogtoken" | |
| else | |
| trufflehog git file://. --only-verified --github-actions --fail --exclude-detectors="datadogtoken" | |
| fi | |
| - name: Send Alert to SIEM | |
| id: alert | |
| env: | |
| SIEM_WEBHOOK_URL: ${{ vars.SECRET_SCAN_SIEM_WEBHOOK_URL }} | |
| SCAN_OUTCOME: ${{ steps.scan.outcome }} | |
| REPO: ${{ github.repository }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| PR_CREATED_AT: ${{ github.event.pull_request.created_at }} | |
| PR_ACTOR: ${{ github.event.pull_request.user.login }} | |
| EVENT_ACTOR: ${{ github.actor }} | |
| run: | | |
| if [[ -z "$SIEM_WEBHOOK_URL" ]]; then | |
| exit 0 | |
| fi | |
| # On merge_group events there is no pull_request context, so PR-derived | |
| # fields are empty. Use current timestamp as next best effort. | |
| created_at="${PR_CREATED_AT:-$(date -u +%Y-%m-%dT%H:%M:%SZ)}" | |
| actor="${PR_ACTOR:-$EVENT_ACTOR}" | |
| if [[ -n "$PR_NUMBER" ]]; then | |
| pull_request="https://github.com/${REPO}/pull/${PR_NUMBER}" | |
| else | |
| pull_request="" | |
| fi | |
| jq -n \ | |
| --arg event "github_secret_scanning" \ | |
| --arg status "$SCAN_OUTCOME" \ | |
| --arg createdAt "$created_at" \ | |
| --arg repo "$REPO" \ | |
| --arg pull_request "$pull_request" \ | |
| --arg actor "$actor" \ | |
| '{event: $event, status: $status, createdAt: $createdAt, repo: $repo, pull_request: $pull_request, actor: $actor}' \ | |
| | curl --fail --silent --show-error \ | |
| -H "Content-Type: application/json" \ | |
| --data @- \ | |
| "$SIEM_WEBHOOK_URL" \ | |
| || echo "::warning::SIEM alert failed (non-blocking)" | |
| - name: Fail workflow if secret detected | |
| if: ${{ !cancelled() && steps.scan.outcome != 'success' }} | |
| run: exit 1 |