-
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmsdo-trufflehog.yml
More file actions
133 lines (118 loc) · 6.17 KB
/
msdo-trufflehog.yml
File metadata and controls
133 lines (118 loc) · 6.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: msdo-secret-scanning-trufflehog
on:
workflow_call:
secrets:
GH_TOKEN:
required: false
workflow_dispatch:
jobs:
trufflehog-scan:
name: TruffleHog Secret Scan
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
actions: read
security-events: write
steps:
- name: Checkout repository
run: |
git clone https://github.com/${{ github.repository }} .
git checkout ${{ github.ref_name }}
- name: Install jq (if needed)
run: sudo apt-get install -y jq
- name: Install TruffleHog (v3+ CLI)
run: |
echo "Fetching latest TruffleHog release asset for Linux..."
ASSET_URL=$(curl -s https://api.github.com/repos/trufflesecurity/trufflehog/releases/latest \
| jq -r '.assets[] | select(.name | test("linux_amd64.tar.gz$")) | .browser_download_url')
if [ -z "$ASSET_URL" ]; then
echo "Could not find Linux binary asset for TruffleHog. Exiting."
exit 1
fi
echo "Downloading from $ASSET_URL"
curl -sSL -o trufflehog.tar.gz "$ASSET_URL"
tar -xzf trufflehog.tar.gz
chmod +x trufflehog
file trufflehog
sudo mv trufflehog /usr/local/bin/
trufflehog --version
- name: Show files to be scanned
run: |
echo "Files that will be scanned:"
find . -type f \( -name "*.tf" -o -name "*.tfvars" -o -name "*.js" -o -name "*.jsx" -o -name "*.ts" -o -name "*.tsx" -o -name "*.py" -o -name "*.json" -o -name "*.yml" -o -name "*.yaml" -o -name "*.bicep" -o -name "*.cs" -o -name "*.csproj" \)
- name: Run TruffleHog and generate JSON report
run: |
echo "\.terraform\.lock\.hcl$" > exclude-paths.txt
trufflehog filesystem . \
--json \
-x exclude-paths.txt \
> trufflehog-findings.json || true
- name: Convert TruffleHog findings to SARIF format
if: github.repository_visibility == 'public'
run: |
echo "import json" > convert_to_sarif.py
echo "" >> convert_to_sarif.py
echo "try:" >> convert_to_sarif.py
echo " with open('trufflehog-findings.json') as f:" >> convert_to_sarif.py
echo " findings = [json.loads(line) for line in f if line.strip()]" >> convert_to_sarif.py
echo "except Exception as e:" >> convert_to_sarif.py
echo " print('Failed to parse findings:', e)" >> convert_to_sarif.py
echo " findings = []" >> convert_to_sarif.py
echo "" >> convert_to_sarif.py
echo "sarif = {" >> convert_to_sarif.py
echo " 'version': '2.1.0'," >> convert_to_sarif.py
echo " 'runs': [{" >> convert_to_sarif.py
echo " 'tool': {" >> convert_to_sarif.py
echo " 'driver': {" >> convert_to_sarif.py
echo " 'name': 'TruffleHog'," >> convert_to_sarif.py
echo " 'informationUri': 'https://github.com/trufflesecurity/trufflehog'," >> convert_to_sarif.py
echo " 'rules': []" >> convert_to_sarif.py
echo " }" >> convert_to_sarif.py
echo " }," >> convert_to_sarif.py
echo " 'results': []" >> convert_to_sarif.py
echo " }]" >> convert_to_sarif.py
echo "}" >> convert_to_sarif.py
echo "" >> convert_to_sarif.py
echo "seen_rules = set()" >> convert_to_sarif.py
echo "" >> convert_to_sarif.py
echo "for finding in findings:" >> convert_to_sarif.py
echo " reason = finding.get('reason', 'Secret detected')" >> convert_to_sarif.py
echo " path = finding.get('path', '')" >> convert_to_sarif.py
echo " line = finding.get('line', 1)" >> convert_to_sarif.py
echo " strings_found = ', '.join(finding.get('stringsFound', []))" >> convert_to_sarif.py
echo " rule_id = f'trufflehog-{reason.replace(\" \", \"-\")[:64]}'" >> convert_to_sarif.py
echo " if rule_id not in seen_rules:" >> convert_to_sarif.py
echo " sarif['runs'][0]['tool']['driver']['rules'].append({" >> convert_to_sarif.py
echo " 'id': rule_id," >> convert_to_sarif.py
echo " 'name': reason" >> convert_to_sarif.py
echo " })" >> convert_to_sarif.py
echo " seen_rules.add(rule_id)" >> convert_to_sarif.py
echo " sarif['runs'][0]['results'].append({" >> convert_to_sarif.py
echo " 'ruleId': rule_id," >> convert_to_sarif.py
echo " 'level': 'warning'," >> convert_to_sarif.py
echo " 'message': {" >> convert_to_sarif.py
echo " 'text': f'{reason} in {path} at line {line}: {strings_found}'" >> convert_to_sarif.py
echo " }," >> convert_to_sarif.py
echo " 'locations': [{" >> convert_to_sarif.py
echo " 'physicalLocation': {" >> convert_to_sarif.py
echo " 'artifactLocation': { 'uri': path }," >> convert_to_sarif.py
echo " 'region': { 'startLine': line }" >> convert_to_sarif.py
echo " }" >> convert_to_sarif.py
echo " }]" >> convert_to_sarif.py
echo " })" >> convert_to_sarif.py
echo "" >> convert_to_sarif.py
echo "with open('trufflehog.sarif', 'w') as out:" >> convert_to_sarif.py
echo " json.dump(sarif, out)" >> convert_to_sarif.py
python3 convert_to_sarif.py
- name: Upload TruffleHog SARIF to GitHub Code Scanning
if: github.repository_visibility == 'public'
run: |
gzip -c trufflehog.sarif | base64 -w 0 > trufflehog.sarif.base64
encoded_sarif=$(cat trufflehog.sarif.base64)
curl -s -X POST \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "Accept: application/vnd.github+json" \
-H "Content-Type: application/json" \
https://api.github.com/repos/${{ github.repository }}/code-scanning/sarifs \
-d "{\"commit_sha\": \"${{ github.sha }}\",\"ref\": \"${{ github.ref }}\",\"sarif\": \"$encoded_sarif\",\"checkout_uri\": \"https://github.com/${{ github.repository }}\",\"tool_name\": \"TruffleHog\"}"