actions/scan-secrets
1
0
Fork 0
mirror of https://code.fcc.sh/actions/scan-secrets.git synced 2025-12-16 03:36:53 +00:00
Code Issues Projects Releases Packages Wiki Activity
Secrets scanner action to scan repository for secrets like API keys, passwords and tokens in github/gitea workflows
5 commits 1 branch 2 tags 43 KiB
Find a file
Exact
Kim Daniel Engebretsen 2409c2f595
 Update action.yml
2025-03-05 18:26:51 +01:00
action.yml Update action.yml 2025-03-05 18:26:51 +01:00
LICENSE Initial commit 2025-03-05 18:01:17 +01:00
README.md Update README.md 2025-03-05 18:07:16 +01:00

README.md

FireClover Secrets Scanner

General Usage

on:
  push:
    branches:
      - main
  pull_request:

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      with:
        fetch-depth: 0
    - name: Secret Scanning
      uses: fc-actions/scan-secrets@v0.0.1
      with:
        extra_args: --results=verified,unknown

In the example config above, we're scanning for live secrets in all PRs and Pushes to main. Only code changes in the referenced commits are scanned. If you'd like to scan an entire branch, please see the "Advanced Usage" section below.

Shallow Cloning

If you're incorporating TruffleHog into a standalone workflow and aren't running any other CI/CD tooling alongside TruffleHog, then we recommend using Shallow Cloning to speed up your workflow. Here's an example for how to do it:

...
      - shell: bash
        run: |
          if [ "${{ github.event_name }}" == "push" ]; then
            echo "depth=$(($(jq length <<< '${{ toJson(github.event.commits) }}') + 2))" >> $GITHUB_ENV
            echo "branch=${{ github.ref_name }}" >> $GITHUB_ENV
          fi
          if [ "${{ github.event_name }}" == "pull_request" ]; then
            echo "depth=$((${{ github.event.pull_request.commits }}+2))" >> $GITHUB_ENV
            echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
          fi
      - uses: actions/checkout@v3
        with:
          ref: ${{env.branch}}
          fetch-depth: ${{env.depth}}
      - uses: fc-actions/scan-secrets@v0.0.1
        with:
          extra_args: --results=verified,unknown
...

Depending on the event type (push or PR), we calculate the number of commits present. Then we add 2, so that we can reference a base commit before our code changes. We pass that integer value to the fetch-depth flag in the checkout action in addition to the relevant branch. Now our checkout process should be much shorter.

Canary detection

TruffleHog statically detects https://canarytokens.org/ and lets you know when they're present without setting them off. You can learn more here: https://trufflesecurity.com/canaries

image

Advanced Usage

- name: TruffleHog
  uses: fc-actions/scan-secrets@v0.0.1
  with:
    # Repository path
    path:
    # Start scanning from here (usually main branch).
    base:
    # Scan commits until here (usually dev branch).
    head: # optional
    # Extra args to be passed to the trufflehog cli.
    extra_args: --log-level=2 --results=verified,unknown

If you'd like to specify specific base and head refs, you can use the base argument (--since-commit flag in TruffleHog CLI) and the head argument (--branch flag in the TruffleHog CLI). We only recommend using these arguments for very specific use cases, where the default behavior does not work.

Advanced Usage: Scan entire branch

- name: scan-push
        uses: fc-actions/scan-secrets@v0.0.1
        with:
          base: ""
          head: ${{ github.ref_name }}
          extra_args: --results=verified,unknown