CloudBees action: Scan containers with TruffleHog

2 minute read

Use this action to scan Docker images with TruffleHog, an open-source secret scanning tool to detect secrets and sensitive information.

All CloudBees action repositories are listed at CloudBees, Inc. on GitHub.

Prerequisites

This action requires prior authentication to the container registry, so you must invoke the Docker registry authentication action before invoking the TruffleHog container scan action. For more information, refer to the OCI credentials configuration action.

Inputs

Table 1. Input details
Input name Data type Required Description

image-location

String

Yes

Repository location of the Docker image.

image-tag

String

Yes

Tag of the Docker image.

threshold-very-high

Integer

No

The number threshold of very high severity vulnerabilities at which the build is broken.

only-verified

String

No

Enables the verified flag to scan only verified secrets. The default is true.[1]

[1] If only-verified is set to true, The TruffleHog tool may utilize an external third-party API to verify the secrets detected.

Customers concerned about security implications involving third-party API calls should set the only-verified value to false, which returns all the secrets without verification and might include false positives. Refer to the TruffleHog credential verification documentation for more information.

Usage examples

In your YAML file, add:

- name: Check out repo uses: actions/checkout@v1 - name: Sign in to OCI registry uses: cloudbees-io/configure-oci-credentials@v1 with: registry: ${{ vars.OCI_REGISTRY }} username: ${{ secrets.OCI_USERNAME }} password: ${{ secrets.OCI_PASSWORD }} - name: Run TruffleHog container scan uses: cloudbees-io/trufflehog-secret-scan-container@v1 with: image-location: ${{ vars.IMAGE_LOCATION }} image-tag: ${{ vars.IMAGE_TAG }}

In the following example, if there are more than three very high severity vulnerabilities identified, the build is broken.

- name: Run TruffleHog container scan with threshold uses: cloudbees-io/trufflehog-secret-scan-container@v1 with: image-location: ${{ vars.IMAGE_LOCATION }} image-tag: ${{ vars.IMAGE_TAG }} threshold-very-high: 3

In the following example, only-verified is set to false. The returned secrets are not verified and might include false positives.

- name: Run TruffleHog container scan without verifying uses: cloudbees-io/trufflehog-secret-scan-container@v1 with: image-location: ${{ vars.IMAGE_LOCATION }} image-tag: ${{ vars.IMAGE_TAG }} threshold-very-high: 3 only-verified: false