Use this action to scan Docker images with TruffleHog, an open-source secret scanning tool to detect secrets and sensitive information.
All CloudBees action repositories are listed at CloudBees, Inc. on GitHub. |
Prerequisites
This action requires prior authentication to the container registry, so you must invoke the Docker registry authentication action before invoking the TruffleHog container scan action. For more information, refer to the OCI credentials configuration action.
Inputs
Input name | Data type | Required | Description |
---|---|---|---|
|
String |
Yes |
Repository location of the Docker image. |
|
String |
Yes |
Tag of the Docker image. |
|
Integer |
No |
The number threshold of very high severity vulnerabilities at which the build is broken. |
|
String |
No |
Enables the verified flag to scan only verified secrets.
The default is |
[1] If Customers concerned about security implications involving third-party API calls should set the |
Usage examples
In your YAML file, add:
In the following example, if there are more than three very high severity vulnerabilities identified, the build is broken.
- name: Run TruffleHog container scan with threshold uses: cloudbees-io/trufflehog-secret-scan-container@v1 with: image-location: ${{ vars.IMAGE_LOCATION }} image-tag: ${{ vars.IMAGE_TAG }} threshold-very-high: 3
In the following example, only-verified
is set to false.
The returned secrets are not verified and might include false positives.
- name: Run TruffleHog container scan without verifying uses: cloudbees-io/trufflehog-secret-scan-container@v1 with: image-location: ${{ vars.IMAGE_LOCATION }} image-tag: ${{ vars.IMAGE_TAG }} threshold-very-high: 3 only-verified: false