Use this action to scan Docker images with TruffleHog, an open-source secret scanning tool to detect secrets and sensitive information.
This action requires prior authentication to the container registry, so you must invoke the Docker registry authentication action before invoking the TruffleHog container scan action. For more information, refer to the OCI credentials configuration action.
Input name | Data type | Required | Description |
---|---|---|---|
|
string |
Yes |
Repository location of the Docker image. |
|
string |
Yes |
Tag of the Docker image. |
|
integer |
No |
The number threshold of very high severity vulnerabilities at which the build is broken. |
In your YAML file, add:
- name: Check out repo
uses: actions/checkout@v1
- name: Sign in to OCI registry
uses: cloudbees-io/configure-oci-credentials@v1
with:
registry: ${{ vars.OCI_REGISTRY }}
username: ${{ secrets.OCI_USERNAME }}
password: ${{ secrets.OCI_PASSWORD }}
- name: Run TruffleHog container scan
uses: cloudbees-io/trufflehog-secret-scan-container@v1
with:
image-location: ${{ vars.IMAGE_LOCATION }}
image-tag: ${{ vars.IMAGE_TAG }}
In the following example, if there are more than three very high severity vulnerabilities identified, the build is broken.
- name: Run TruffleHog container scan with threshold
uses: cloudbees-io/trufflehog-secret-scan-container@v1
with:
image-location: ${{ vars.IMAGE_LOCATION }}
image-tag: ${{ vars.IMAGE_TAG }}
threshold-very-high: 3
This code is made available under the MIT license.
-
Learn more about using actions in CloudBees workflows.
-
Learn about the CloudBees platform.