Use this action to detect secrets and sensitive information in the codebase with TruffleHog, an open-source secret scanning tool.
This action provides flexibility to allow users to either scan a local codebase, or provide a URL to scan a remote repository. When a repository URL is specified, the TruffleHog action examines the code directly from the specified repository. If no URL is provided, the action scans the code present in the local working directory.
| All CloudBees action repositories are listed at CloudBees, Inc. on GitHub. |
Inputs
| Input name | Data type | Required | Description |
|---|---|---|---|
|
string |
No |
The token for authentication. |
|
string |
No |
The URL of the Git repository to scan.
If |
|
string |
Yes |
The branch of the repository to scan.
If |
|
string |
No |
The path of the directory to scan.
If not specified, the standard CloudBees |
|
string |
No |
The commit hash or branch name to start the scan from. |
|
integer |
No |
The number threshold of very high severity vulnerabilities at which the build is broken. |
Usage examples
Add any of the below examples to your YAML file.
To scan a repository branch:
- name: Run TruffleHog code scan uses: cloudbees-io/trufflehog-secret-scan-code@v1 with: token: ${{ secrets.TOKEN }} repoUrl: ${{ repositoryUrl }} branch: ${{ branch }}
To scan a local codebase:
steps: - name: Check out source code uses: cloudbees-io/checkout@v1 - name: Run TruffleHog secret scan on local source code uses: cloudbees-io/trufflehog-secret-scan-code@v1 with: branch: ${{ cloudbees.scm.branch }}
To scan the entire history of a local codebase branch:
steps: - name: Check out source code uses: cloudbees-io/checkout@v1 with: fetch-depth: 0 # Fetch the full history - name: Run TruffleHog scan on full history uses: cloudbees-io/trufflehog-secret-scan-code@v1 with: branch: ${{ cloudbees.scm.branch }}
In the following example, if there are more than three very high severity vulnerabilities identified, the build is broken.
- name: Check out source code uses: cloudbees-io/checkout@v1 - name: Run TruffleHog secret scan with threshold uses: cloudbees-io/trufflehog-secret-scan-code@v1 with: branch: ${{ cloudbees.scm.branch }} threshold-very-high: 3
In the following example, a local codebase is scanned from a specified commit hash. Fetching the entire history is required for this usage.
- name: Check out source code uses: cloudbees-io/checkout@v1 with: fetch-depth: 0 # Fetch the full history - name: Run TruffleHog starting from commit uses: cloudbees-io/trufflehog-secret-scan-code@v1 with: branch: ${{ cloudbees.scm.branch }} since-commit: ${{ commit.hash }} # Scan starting point threshold-very-high: 3
In the following example, a local codebase is scanned from the last commit of the main branch up to the latest commit of the current branch.
Fetching the entire history is required for this usage.
- name: Check out source code uses: cloudbees-io/checkout@v1 with: fetch-depth: 0 # Fetch the full history - name: Run TruffleHog scan since a commit uses: cloudbees-io/trufflehog-secret-scan-code@v1 with: branch: ${{ cloudbees.scm.branch }} # Current branch since-commit: "main" # Scan starting point threshold-very-high: 3
To scan a given repository from a specified commit hash:
- name: Run TruffleHog code scan on a repo uses: cloudbees-io/trufflehog-secret-scan-code@v1 with: token: ${{ secrets.TOKEN }} repoUrl: ${{ repositoryUrl }} branch: ${{ branch }} since-commit: ${{ commit.hash }} # Scan starting point
In the example above, if both the since-commit and branch parameters are set to the same value, the scan detects no changes.
|