-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yml
59 lines (58 loc) · 2.82 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
apiVersion: automation.cloudbees.io/v1alpha1
kind: action
name: TruffleHog Secret Scan Code Action
inputs:
token:
required: false
description: 'The token in order to connect authenticate with source repository (Ex: Github PAT).'
repoUrl:
required: false
description: 'The URL of the Git repository to scan.'
branch:
required: true
description: 'The branch of the repository to scan.'
path:
required: false
description: 'The path of the directory to scan.'
since-commit:
required: false
description: 'The commit hash or branch name to start the scan from.'
threshold-very-high:
required: false
default: 999
description: 'The threshold for very high severity. Build will be broken if vulnerabilities with very high severity exceeds this threshold.'
threshold-high:
required: false
default: 999
description: 'The threshold for high severity. Build will be broken if vulnerabilities with high severity exceeds this threshold.'
threshold-medium:
required: false
default: 999
description: 'The threshold for medium severity. Build will be broken if vulnerabilities with medium severity exceeds this threshold.'
threshold-low:
required: false
default: 999
description: 'The threshold for low severity. Build will be broken if vulnerabilities with low severity exceeds this threshold.'
runs:
using: composite
steps:
- id: run-trufflehog-secret-scan-code
name: trufflehogsast
uses: docker://public.ecr.aws/l7o7z1g8/actions/trufflehog-secret-actions:main-743dd107fa541e3282333b332e17e95e09651456
shell: sh
env:
CONFIG_JSON: '{"metaInfo":{"repoUrl":"${{ inputs.repoUrl }}","branch":"${{ inputs.branch }}","token":"${{ inputs.token }}","path":"${{ inputs.path }}","sinceCommit":"${{ inputs.since-commit }}","toolName":"trufflehogsast"},"orchestratorInfo":{"assetType":"CODE","assetIdentifier":"${{ inputs.repoUrl || cloudbees.scm.repositoryUrl }}","profileIdentifier":"${{ inputs.branch || cloudbees.scm.branch }}"},"metaInformation":{"actor":"SCM-Bot","commit_id":"${{ cloudbees.scm.sha }}","tenent_info":"NA","scanner_type":"SAST"}}'
THRESHOLD_JSON: '{"veryHigh":${{ inputs.threshold-very-high }},"high":${{ inputs.threshold-high }},"medium":${{ inputs.threshold-medium }},"low":${{ inputs.threshold-low }}}'
RUN_ID: ${{ cloudbees.run_id }}
STEP_ID: ${{ step.internal.id }}
JOB_ID: ${{ job.id }}
DNS_URL: ${{ cloudbees.api.url }}
JWT_TOKEN: ${{ cloudbees.api.token }}
run: |
set -x
git config --global --add safe.directory '*'
echo "RUN ID: ${{ cloudbees.run_id }}"
echo "Job ID: ${{ job.id }}"
echo "Step ID: ${{ step.internal.id }}"
cd /app
./trufflehog_secret_scan_app scan -t 'CODE' -c "${CONFIG_JSON}" -r "${THRESHOLD_JSON}"