Use this action to detect secrets and sensitive information in the codebase with TruffleHog, an open-source secret scanning tool.
This action provides flexibility by allowing users to either scan a local codebase, or provide a URL to scan a remote repository. When a repository URL is specified, the TruffleHog action examines the code directly from the specified repository. If no URL is provided, the action scans the code present in the local working directory.
| Input name | Data type | Required | Description |
|---|---|---|---|
|
string |
No |
The token for authentication. |
|
string |
No |
The URL of the Git repository to scan.
If |
|
string |
Yes |
The branch of the repository to scan.
If |
|
string |
No |
The path of the directory to scan.
If not specified, the standard CloudBees |
|
string |
No |
The commit hash or branch name to start the scan from. |
|
integer |
No |
The number threshold of very high severity vulnerabilities at which the build is broken. |
Add any of the below examples to your YAML file.
To scan a repository branch:
- name: Run TruffleHog code scan
uses: cloudbees-io/trufflehog-secret-scan-code@v1
with:
token: ${{ secrets.TOKEN }}
repoUrl: ${{ repositoryUrl }}
branch: ${{ branch }}To scan a local codebase:
steps:
- name: Check out source code
uses: cloudbees-io/checkout@v1
- name: Run TruffleHog secret scan on local source code
uses: cloudbees-io/trufflehog-secret-scan-code@v1
with:
branch: ${{ cloudbees.scm.branch }}To scan the entire history of a local codebase branch:
steps:
- name: Check out source code
uses: cloudbees-io/checkout@v1
with:
fetch-depth: 0 # Fetch the full history
- name: Run TruffleHog scan on full history
uses: cloudbees-io/trufflehog-secret-scan-code@v1
with:
branch: ${{ cloudbees.scm.branch }}In the following example, if there are more than three very high severity vulnerabilities identified, the build is broken.
- name: Check out source code
uses: cloudbees-io/checkout@v1
- name: Run TruffleHog secret scan with threshold
uses: cloudbees-io/trufflehog-secret-scan-code@v1
with:
branch: ${{ cloudbees.scm.branch }}
threshold-very-high: 3In the following example, a local codebase is scanned from a specified commit hash. Fetching the entire history is required for this usage.
- name: Check out source code
uses: cloudbees-io/checkout@v1
with:
fetch-depth: 0 # Fetch the full history
- name: Run TruffleHog starting from commit
uses: cloudbees-io/trufflehog-secret-scan-code@v1
with:
branch: ${{ cloudbees.scm.branch }}
since-commit: ${{ commit.hash }} # Scan starting point
threshold-very-high: 3In the following example, a local codebase is scanned from the last commit of the main branch up to the latest commit of the current branch.
Fetching the entire history is required for this usage.
- name: Check out source code
uses: cloudbees-io/checkout@v1
with:
fetch-depth: 0 # Fetch the full history
- name: Run TruffleHog scan since a commit
uses: cloudbees-io/trufflehog-secret-scan-code@v1
with:
branch: ${{ cloudbees.scm.branch }} # Current branch
since-commit: "main" # Scan starting point
threshold-very-high: 3To scan a given repository from a specified commit hash:
- name: Run TruffleHog code scan on a repo
uses: cloudbees-io/trufflehog-secret-scan-code@v1
with:
token: ${{ secrets.TOKEN }}
repoUrl: ${{ repositoryUrl }}
branch: ${{ branch }}
since-commit: ${{ commit.hash }} # Scan starting point|
Note
|
In the example above, if both the since-commit and branch parameters are set to the same value, the scan detects no changes.
|
This code is made available under the MIT license.
-
Learn more about using actions in CloudBees workflows.
-
Learn about the CloudBees platform.