From 5d71b81c1a3dd00e0dd13deb673e353601aa36ed Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 16:10:04 -0800 Subject: [PATCH 01/30] test detect secrets Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 110 +++++++++++++++++++++ .github/workflows/detect-secrets.yaml | 14 +++ 2 files changed, 124 insertions(+) create mode 100644 .github/actions/detect-secrets/action.yaml create mode 100644 .github/workflows/detect-secrets.yaml diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml new file mode 100644 index 0000000..5e6e593 --- /dev/null +++ b/.github/actions/detect-secrets/action.yaml @@ -0,0 +1,110 @@ +name: Secrets Scan +description: Scan the repository for secrets using multiple tools +runs: + using: "composite" + steps: + - uses: actions/checkout@v6.0.1 + with: + fetch-depth: 0 + + - name: Setup Python + uses: actions/setup-python@v6.0.1 + with: + python-version: "3.12" + + - name: Install jq + shell: bash + run: sudo apt-get update && sudo apt-get install -y jq + + - name: Install detect-secrets + shell: bash + run: pip install detect-secrets + + - name: Install git-secrets + shell: bash + run: | + git clone https://github.com/awslabs/git-secrets.git + cd git-secrets + sudo make install + cd .. + + - name: Run Gitleaks + uses: gitleaks/gitleaks-action@v2.3.9 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Run TruffleHog + id: trufflehog + continue-on-error: true + uses: trufflesecurity/trufflehog@main + with: + path: ./ + base: ${{ github.event.repository.default_branch }} + head: HEAD + extra_args: --debug --only-verified + + - name: TruffleHog Results Status + shell: bash + if: steps.trufflehog.outcome == 'failure' + run: exit 1 + + - name: Run detect-secrets + shell: bash + run: | + output=$(detect-secrets scan --all-files --json) + num_secrets=$(echo "$output" | jq '.results | length') + if [ "$num_secrets" -gt 0 ]; then + echo "Secrets found by detect-secrets:" + echo "$output" + exit 1 + fi + + - name: Run git-secrets + shell: bash + run: git secrets --scan -r . + + - name: Install Talisman + shell: bash + run: bash -c "$(curl --silent https://raw.githubusercontent.com/thoughtworks/talisman/main/install.sh)" + + - name: Run Talisman + shell: bash + run: | + talisman --scan + if [ -f talisman_reports/data/report.json ]; then + report=$(cat talisman_reports/data/report.json) + num_failures=$(echo "$report" | jq '.failures // [] | length') + if [ "$num_failures" -gt 0 ]; then + echo "Secrets found by Talisman:" + echo "$report" + exit 1 + fi + fi + + - name: Install dependencies for credential-digger + shell: bash + run: sudo apt install -y build-essential python3-dev + + - name: Install credential-digger + shell: bash + run: pip install credentialdigger + + - name: Download rules for credential-digger + shell: bash + run: curl -O https://raw.githubusercontent.com/SAP/credential-digger/main/ui/backend/rules.yml + + - name: Add rules for credential-digger + shell: bash + run: credentialdigger add_rules --sqlite /tmp/cred.db ./rules.yml + + - name: Run credential-digger + shell: bash + run: credentialdigger scan . --sqlite /tmp/cred.db --models PathModel PasswordModel + + - name: Install kingfisher + shell: bash + run: curl --silent --location https://raw.githubusercontent.com/mongodb/kingfisher/main/scripts/install-kingfisher.sh | bash + + - name: Run kingfisher + shell: bash + run: kingfisher scan . diff --git a/.github/workflows/detect-secrets.yaml b/.github/workflows/detect-secrets.yaml new file mode 100644 index 0000000..b615e98 --- /dev/null +++ b/.github/workflows/detect-secrets.yaml @@ -0,0 +1,14 @@ +name: Secrets Scan Workflow +on: + push: + branches: + - detect-secrets + pull_request: + branches: + - detect-secrets + +jobs: + scan: + runs-on: ubuntu-latest + steps: + - uses: ./.github/actions/detect-secrets \ No newline at end of file From da054c1cda4042a05aa8e0e815c0907916a56908 Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 16:10:42 -0800 Subject: [PATCH 02/30] add branch Signed-off-by: ms280690 --- .github/workflows/detect-secrets.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/detect-secrets.yaml b/.github/workflows/detect-secrets.yaml index b615e98..d673eb6 100644 --- a/.github/workflows/detect-secrets.yaml +++ b/.github/workflows/detect-secrets.yaml @@ -11,4 +11,4 @@ jobs: scan: runs-on: ubuntu-latest steps: - - uses: ./.github/actions/detect-secrets \ No newline at end of file + - uses: ./.github/actions/detect-secrets@detect-secrets \ No newline at end of file From 6318dac9e3176f05ca12ddbdb405883f42c3a1e1 Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 16:11:37 -0800 Subject: [PATCH 03/30] add file name Signed-off-by: ms280690 --- .github/workflows/detect-secrets.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/detect-secrets.yaml b/.github/workflows/detect-secrets.yaml index d673eb6..f051e13 100644 --- a/.github/workflows/detect-secrets.yaml +++ b/.github/workflows/detect-secrets.yaml @@ -11,4 +11,4 @@ jobs: scan: runs-on: ubuntu-latest steps: - - uses: ./.github/actions/detect-secrets@detect-secrets \ No newline at end of file + - uses: ./.github/actions/detect-secrets/action.yaml@detect-secrets \ No newline at end of file From e76f97155d833f3bbc7ddc8d65b6c3ee665544a4 Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 16:13:50 -0800 Subject: [PATCH 04/30] checkout Signed-off-by: ms280690 --- .github/workflows/detect-secrets.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/detect-secrets.yaml b/.github/workflows/detect-secrets.yaml index f051e13..4d60580 100644 --- a/.github/workflows/detect-secrets.yaml +++ b/.github/workflows/detect-secrets.yaml @@ -11,4 +11,5 @@ jobs: scan: runs-on: ubuntu-latest steps: - - uses: ./.github/actions/detect-secrets/action.yaml@detect-secrets \ No newline at end of file + - uses: actions/checkout@v6.0.1 + - uses: ./.github/actions/detect-secrets \ No newline at end of file From a68c58a5e4e47e8802381a4a8da8258736796023 Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 16:15:10 -0800 Subject: [PATCH 05/30] add permissions Signed-off-by: ms280690 --- .github/workflows/detect-secrets.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/detect-secrets.yaml b/.github/workflows/detect-secrets.yaml index 4d60580..6663a9a 100644 --- a/.github/workflows/detect-secrets.yaml +++ b/.github/workflows/detect-secrets.yaml @@ -7,6 +7,11 @@ on: branches: - detect-secrets +permissions: + contents: read + id-token: write + pull-requests: write + jobs: scan: runs-on: ubuntu-latest From 649f7a72795b9e0aefa1d32457ff34e18fd54096 Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 16:16:09 -0800 Subject: [PATCH 06/30] add gh token Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 7 ++++++- .github/workflows/detect-secrets.yaml | 4 +++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index 5e6e593..97eb858 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -1,5 +1,10 @@ name: Secrets Scan description: Scan the repository for secrets using multiple tools +inputs: + github-token: + description: GitHub token for authentication + required: false + default: ${{ github.token }} runs: using: "composite" steps: @@ -31,7 +36,7 @@ runs: - name: Run Gitleaks uses: gitleaks/gitleaks-action@v2.3.9 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ inputs.github-token }} - name: Run TruffleHog id: trufflehog diff --git a/.github/workflows/detect-secrets.yaml b/.github/workflows/detect-secrets.yaml index 6663a9a..c030ed3 100644 --- a/.github/workflows/detect-secrets.yaml +++ b/.github/workflows/detect-secrets.yaml @@ -17,4 +17,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6.0.1 - - uses: ./.github/actions/detect-secrets \ No newline at end of file + - uses: ./.github/actions/detect-secrets + with: + github-token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From ca1e2b202ad2ad86f58c9147ff1e2d3484988bda Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 16:16:55 -0800 Subject: [PATCH 07/30] correct version Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index 97eb858..56cfd1f 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -13,7 +13,7 @@ runs: fetch-depth: 0 - name: Setup Python - uses: actions/setup-python@v6.0.1 + uses: actions/setup-python@v6.1.0 with: python-version: "3.12" From e7b2d7545b659988dc2758724645ae870520dd07 Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 16:21:19 -0800 Subject: [PATCH 08/30] gitleaks license key Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 1 + .github/workflows/detect-secrets.yaml | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index 56cfd1f..4636d05 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -37,6 +37,7 @@ runs: uses: gitleaks/gitleaks-action@v2.3.9 env: GITHUB_TOKEN: ${{ inputs.github-token }} + GITLEAKS_LICENSE: ${{ input.gitleaks_license }} - name: Run TruffleHog id: trufflehog diff --git a/.github/workflows/detect-secrets.yaml b/.github/workflows/detect-secrets.yaml index c030ed3..903538e 100644 --- a/.github/workflows/detect-secrets.yaml +++ b/.github/workflows/detect-secrets.yaml @@ -19,4 +19,5 @@ jobs: - uses: actions/checkout@v6.0.1 - uses: ./.github/actions/detect-secrets with: - github-token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + github-token: ${{ secrets.GITHUB_TOKEN }} + gitleaks_license: ${{ secrets.GITLEAKS_LICENSE }} \ No newline at end of file From a2c063fc2aca555e4452404a97c5badea3955fa3 Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 16:24:08 -0800 Subject: [PATCH 09/30] correct spelling Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 8 ++++++-- .github/workflows/detect-secrets.yaml | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index 4636d05..957037e 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -3,8 +3,12 @@ description: Scan the repository for secrets using multiple tools inputs: github-token: description: GitHub token for authentication - required: false + required: true default: ${{ github.token }} + gitleaks-license: + description: Gitleaks license key for enterprise features + required: true + default: "" runs: using: "composite" steps: @@ -37,7 +41,7 @@ runs: uses: gitleaks/gitleaks-action@v2.3.9 env: GITHUB_TOKEN: ${{ inputs.github-token }} - GITLEAKS_LICENSE: ${{ input.gitleaks_license }} + GITLEAKS_LICENSE: ${{ inputs.gitleaks-license }} - name: Run TruffleHog id: trufflehog diff --git a/.github/workflows/detect-secrets.yaml b/.github/workflows/detect-secrets.yaml index 903538e..9a5b1c8 100644 --- a/.github/workflows/detect-secrets.yaml +++ b/.github/workflows/detect-secrets.yaml @@ -20,4 +20,4 @@ jobs: - uses: ./.github/actions/detect-secrets with: github-token: ${{ secrets.GITHUB_TOKEN }} - gitleaks_license: ${{ secrets.GITLEAKS_LICENSE }} \ No newline at end of file + gitleaks-license: ${{ secrets.GITLEAKS_LICENSE }} \ No newline at end of file From 054e3508de8a46bb1b7eaae60fee7894e6001774 Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 16:31:50 -0800 Subject: [PATCH 10/30] correct flags Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index 957037e..c0bc365 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -61,7 +61,7 @@ runs: - name: Run detect-secrets shell: bash run: | - output=$(detect-secrets scan --all-files --json) + output=$(detect-secrets scan --all-files --force-use-all-plugins) num_secrets=$(echo "$output" | jq '.results | length') if [ "$num_secrets" -gt 0 ]; then echo "Secrets found by detect-secrets:" From 526aae37808be1a5eb854d806d1daf051ba26cc3 Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 16:33:30 -0800 Subject: [PATCH 11/30] continue Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index c0bc365..8d4780d 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -66,7 +66,6 @@ runs: if [ "$num_secrets" -gt 0 ]; then echo "Secrets found by detect-secrets:" echo "$output" - exit 1 fi - name: Run git-secrets From 280de7cceea8a7be9c40702e99198604fedd3d3f Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 16:34:50 -0800 Subject: [PATCH 12/30] continue Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index 8d4780d..78b3629 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -86,7 +86,6 @@ runs: if [ "$num_failures" -gt 0 ]; then echo "Secrets found by Talisman:" echo "$report" - exit 1 fi fi From 0818282d3b949130c7b335686bbc5c48c53d980d Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 16:36:52 -0800 Subject: [PATCH 13/30] correct path Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index 78b3629..62ee626 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -80,8 +80,8 @@ runs: shell: bash run: | talisman --scan - if [ -f talisman_reports/data/report.json ]; then - report=$(cat talisman_reports/data/report.json) + if [ -f talisman_report/talisman_reports/data/report.json ]; then + report=$(cat talisman_report/talisman_reports/data/report.json) num_failures=$(echo "$report" | jq '.failures // [] | length') if [ "$num_failures" -gt 0 ]; then echo "Secrets found by Talisman:" From ef79aba5881b4552fd5865b3e088ca2e77caa294 Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 16:48:13 -0800 Subject: [PATCH 14/30] continue Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index 62ee626..d777ddb 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -77,9 +77,10 @@ runs: run: bash -c "$(curl --silent https://raw.githubusercontent.com/thoughtworks/talisman/main/install.sh)" - name: Run Talisman + continue-on-error: true shell: bash run: | - talisman --scan + talisman --scan || true if [ -f talisman_report/talisman_reports/data/report.json ]; then report=$(cat talisman_report/talisman_reports/data/report.json) num_failures=$(echo "$report" | jq '.failures // [] | length') From 263320e2f7d5b5bae28a1dadbad65dcb6367f30b Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 17:07:11 -0800 Subject: [PATCH 15/30] formatting, reporting, better desc Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 62 +++++++++++++++++----- 1 file changed, 49 insertions(+), 13 deletions(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index d777ddb..7fbf858 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -1,5 +1,14 @@ -name: Secrets Scan -description: Scan the repository for secrets using multiple tools +name: Detect Secrets Action +description: | + Scan the repository for secrets using the following tools: + 1. Gitleaks: https://github.com/gitleaks/gitleaks + 2. TruffleHog: https://github.com/trufflesecurity/trufflehog + 3. detect-secrets: https://github.com/Yelp/detect-secrets + 4. git-secrets: https://github.com/awslabs/git-secrets + 5. Talisman: https://github.com/thoughtworks/talisman + 6. credential-digger: https://github.com/SAP/credential-digger + 7. kingfisher: https://github.com/mongodb/kingfisher + inputs: github-token: description: GitHub token for authentication @@ -9,6 +18,7 @@ inputs: description: Gitleaks license key for enterprise features required: true default: "" + runs: using: "composite" steps: @@ -16,6 +26,10 @@ runs: with: fetch-depth: 0 + - name: Prepare report directory + shell: bash + run: mkdir -p secrets_report + - name: Setup Python uses: actions/setup-python@v6.1.0 with: @@ -39,6 +53,7 @@ runs: - name: Run Gitleaks uses: gitleaks/gitleaks-action@v2.3.9 + continue-on-error: true env: GITHUB_TOKEN: ${{ inputs.github-token }} GITLEAKS_LICENSE: ${{ inputs.gitleaks-license }} @@ -59,18 +74,19 @@ runs: run: exit 1 - name: Run detect-secrets + continue-on-error: true shell: bash run: | - output=$(detect-secrets scan --all-files --force-use-all-plugins) - num_secrets=$(echo "$output" | jq '.results | length') + detect-secrets scan --all-files --force-use-all-plugins > secrets_report/detect_secrets.json + num_secrets=$(jq '.results | length' secrets_report/detect_secrets.json) if [ "$num_secrets" -gt 0 ]; then - echo "Secrets found by detect-secrets:" - echo "$output" + echo "Secrets found by detect-secrets: $num_secrets" fi - name: Run git-secrets + continue-on-error: true shell: bash - run: git secrets --scan -r . + run: git secrets --scan -r . | tee secrets_report/git_secrets.txt - name: Install Talisman shell: bash @@ -82,11 +98,10 @@ runs: run: | talisman --scan || true if [ -f talisman_report/talisman_reports/data/report.json ]; then - report=$(cat talisman_report/talisman_reports/data/report.json) - num_failures=$(echo "$report" | jq '.failures // [] | length') + cp talisman_report/talisman_reports/data/report.json secrets_report/talisman.json + num_failures=$(jq '.failures // [] | length' secrets_report/talisman.json) if [ "$num_failures" -gt 0 ]; then - echo "Secrets found by Talisman:" - echo "$report" + echo "Secrets found by Talisman: $num_failures" fi fi @@ -107,13 +122,34 @@ runs: run: credentialdigger add_rules --sqlite /tmp/cred.db ./rules.yml - name: Run credential-digger + continue-on-error: true shell: bash - run: credentialdigger scan . --sqlite /tmp/cred.db --models PathModel PasswordModel + run: | + credentialdigger scan . --sqlite /tmp/cred.db --models PathModel PasswordModel + cp /tmp/cred.db secrets_report/credential_digger.db || true + [ -f rules.yml ] && cp rules.yml secrets_report/ || true - name: Install kingfisher shell: bash run: curl --silent --location https://raw.githubusercontent.com/mongodb/kingfisher/main/scripts/install-kingfisher.sh | bash - name: Run kingfisher + continue-on-error: true shell: bash - run: kingfisher scan . + run: kingfisher scan . | tee secrets_report/kingfisher.txt + + - name: Install TruffleHog CLI + continue-on-error: true + shell: bash + run: pip install trufflehog + + - name: Run TruffleHog CLI (JSON) + continue-on-error: true + shell: bash + run: trufflehog filesystem --json . > secrets_report/trufflehog.json + + - name: Upload combined results artifact + uses: actions/upload-artifact@v4 + with: + name: secrets-scan-results + path: secrets_report From 1bc199993776c88dc2ccd763c7d806fcc8598aba Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 18:28:51 -0800 Subject: [PATCH 16/30] add specific version Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index 7fbf858..b120260 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -33,7 +33,7 @@ runs: - name: Setup Python uses: actions/setup-python@v6.1.0 with: - python-version: "3.12" + python-version: "3.12.12" - name: Install jq shell: bash From a72679d81045beabc20bea9af8b011536a443687 Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 18:29:14 -0800 Subject: [PATCH 17/30] fix flags for reporting Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 25 ++++++++++++---------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index b120260..d7061ac 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -66,7 +66,7 @@ runs: path: ./ base: ${{ github.event.repository.default_branch }} head: HEAD - extra_args: --debug --only-verified + extra_args: filesystem --only-verified - name: TruffleHog Results Status shell: bash @@ -77,11 +77,7 @@ runs: continue-on-error: true shell: bash run: | - detect-secrets scan --all-files --force-use-all-plugins > secrets_report/detect_secrets.json - num_secrets=$(jq '.results | length' secrets_report/detect_secrets.json) - if [ "$num_secrets" -gt 0 ]; then - echo "Secrets found by detect-secrets: $num_secrets" - fi + detect-secrets scan --force-use-all-plugins > secrets_report/detect_secrets.json - name: Run git-secrets continue-on-error: true @@ -138,15 +134,22 @@ runs: shell: bash run: kingfisher scan . | tee secrets_report/kingfisher.txt - - name: Install TruffleHog CLI + - name: Run TruffleHog OSS (JSON Export) continue-on-error: true - shell: bash - run: pip install trufflehog + uses: TruffleHog/trufflehog-oss-action@main + with: + path: ./ + base: ${{ github.event.repository.default_branch }} + head: HEAD + extra_args: --json - - name: Run TruffleHog CLI (JSON) + - name: Copy TruffleHog JSON Report continue-on-error: true shell: bash - run: trufflehog filesystem --json . > secrets_report/trufflehog.json + run: | + if [ -f "${{ runner.temp }}/trufflehog-report.json" ]; then + cp "${{ runner.temp }}/trufflehog-report.json" secrets_report/trufflehog.json + fi - name: Upload combined results artifact uses: actions/upload-artifact@v4 From 69572e7c0684a053a1ebfbf9d86a443f830b1d3a Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 18:30:27 -0800 Subject: [PATCH 18/30] fix action Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index d7061ac..be25d9e 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -61,7 +61,7 @@ runs: - name: Run TruffleHog id: trufflehog continue-on-error: true - uses: trufflesecurity/trufflehog@main + uses: trufflesecurity/trufflehog@v3.92.4 with: path: ./ base: ${{ github.event.repository.default_branch }} From a4586041c33f778d8be4bbb3c586569d8688b078 Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 18:39:25 -0800 Subject: [PATCH 19/30] fix trufflehog Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 25 ++++++---------------- 1 file changed, 6 insertions(+), 19 deletions(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index be25d9e..ecea61b 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -58,21 +58,6 @@ runs: GITHUB_TOKEN: ${{ inputs.github-token }} GITLEAKS_LICENSE: ${{ inputs.gitleaks-license }} - - name: Run TruffleHog - id: trufflehog - continue-on-error: true - uses: trufflesecurity/trufflehog@v3.92.4 - with: - path: ./ - base: ${{ github.event.repository.default_branch }} - head: HEAD - extra_args: filesystem --only-verified - - - name: TruffleHog Results Status - shell: bash - if: steps.trufflehog.outcome == 'failure' - run: exit 1 - - name: Run detect-secrets continue-on-error: true shell: bash @@ -136,19 +121,21 @@ runs: - name: Run TruffleHog OSS (JSON Export) continue-on-error: true - uses: TruffleHog/trufflehog-oss-action@main + uses: trufflesecurity/trufflehog@v3.92.4 with: path: ./ base: ${{ github.event.repository.default_branch }} head: HEAD - extra_args: --json + extra_args: filesystem --only-verified --github-actions --json - name: Copy TruffleHog JSON Report continue-on-error: true shell: bash run: | - if [ -f "${{ runner.temp }}/trufflehog-report.json" ]; then - cp "${{ runner.temp }}/trufflehog-report.json" secrets_report/trufflehog.json + if [ -f "$RUNNER_TEMP/trufflehog-report.json" ]; then + cp "$RUNNER_TEMP/trufflehog-report.json" secrets_report/trufflehog.json + else + echo "TruffleHog JSON report not found in $RUNNER_TEMP" fi - name: Upload combined results artifact From 371720f9325b0c7752f3340e9f448aef2b8ab6bb Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 18:42:49 -0800 Subject: [PATCH 20/30] correct flags Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index ecea61b..aa99a80 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -126,7 +126,7 @@ runs: path: ./ base: ${{ github.event.repository.default_branch }} head: HEAD - extra_args: filesystem --only-verified --github-actions --json + extra_args: --only-verified --json - name: Copy TruffleHog JSON Report continue-on-error: true From eb9ced3bf0b400390e212fed3941587a1e29f8e6 Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 19:14:08 -0800 Subject: [PATCH 21/30] fix order and reporting Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 43 +++++++++++----------- 1 file changed, 21 insertions(+), 22 deletions(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index aa99a80..692e961 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -43,6 +43,12 @@ runs: shell: bash run: pip install detect-secrets + - name: Run detect-secrets + continue-on-error: true + shell: bash + run: | + detect-secrets scan --force-use-all-plugins > secrets_report/detect_secrets.json + - name: Install git-secrets shell: bash run: | @@ -51,6 +57,11 @@ runs: sudo make install cd .. + - name: Run git-secrets + continue-on-error: true + shell: bash + run: git secrets --scan -r . | tee secrets_report/git_secrets.txt + - name: Run Gitleaks uses: gitleaks/gitleaks-action@v2.3.9 continue-on-error: true @@ -58,17 +69,6 @@ runs: GITHUB_TOKEN: ${{ inputs.github-token }} GITLEAKS_LICENSE: ${{ inputs.gitleaks-license }} - - name: Run detect-secrets - continue-on-error: true - shell: bash - run: | - detect-secrets scan --force-use-all-plugins > secrets_report/detect_secrets.json - - - name: Run git-secrets - continue-on-error: true - shell: bash - run: git secrets --scan -r . | tee secrets_report/git_secrets.txt - - name: Install Talisman shell: bash run: bash -c "$(curl --silent https://raw.githubusercontent.com/thoughtworks/talisman/main/install.sh)" @@ -106,7 +106,7 @@ runs: continue-on-error: true shell: bash run: | - credentialdigger scan . --sqlite /tmp/cred.db --models PathModel PasswordModel + credentialdigger scan . --sqlite /tmp/cred.db --models PathModel PasswordModel | tee secrets_report/credential_digger.txt cp /tmp/cred.db secrets_report/credential_digger.db || true [ -f rules.yml ] && cp rules.yml secrets_report/ || true @@ -121,21 +121,20 @@ runs: - name: Run TruffleHog OSS (JSON Export) continue-on-error: true - uses: trufflesecurity/trufflehog@v3.92.4 - with: - path: ./ - base: ${{ github.event.repository.default_branch }} - head: HEAD - extra_args: --only-verified --json + shell: bash + run: | + pip install trufflehog + trufflehog filesystem . --json --only-verified > secrets_report/trufflehog.json 2>&1 - - name: Copy TruffleHog JSON Report + - name: Validate TruffleHog JSON continue-on-error: true shell: bash run: | - if [ -f "$RUNNER_TEMP/trufflehog-report.json" ]; then - cp "$RUNNER_TEMP/trufflehog-report.json" secrets_report/trufflehog.json + if [ -f secrets_report/trufflehog.json ] && [ -s secrets_report/trufflehog.json ]; then + echo "TruffleHog JSON report generated successfully" + head -c 200 secrets_report/trufflehog.json else - echo "TruffleHog JSON report not found in $RUNNER_TEMP" + echo "No TruffleHog findings or report not created" fi - name: Upload combined results artifact From 09923c89fc325dee63a2f37dcbd1016d288d3f09 Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 19:19:08 -0800 Subject: [PATCH 22/30] correct flags Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index 692e961..1e1531d 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -124,7 +124,7 @@ runs: shell: bash run: | pip install trufflehog - trufflehog filesystem . --json --only-verified > secrets_report/trufflehog.json 2>&1 + trufflehog filesystem --only-verified --github-actions . > secrets_report/trufflehog.json 2>&1 - name: Validate TruffleHog JSON continue-on-error: true From 1dd2f795b1371606644c3793109180ba8b96be39 Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 19:34:43 -0800 Subject: [PATCH 23/30] fix kingfisher and trufflehog Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index 1e1531d..220978e 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -117,14 +117,24 @@ runs: - name: Run kingfisher continue-on-error: true shell: bash - run: kingfisher scan . | tee secrets_report/kingfisher.txt + run: kingfisher scan . --exclude secrets_report/* | tee secrets_report/kingfisher.txt - - name: Run TruffleHog OSS (JSON Export) + - name: Install TruffleHog v3 binary continue-on-error: true shell: bash run: | - pip install trufflehog - trufflehog filesystem --only-verified --github-actions . > secrets_report/trufflehog.json 2>&1 + set -euo pipefail + TRH_VER=3.92.4 + TMPDIR="$(mktemp -d)" + curl -sSL -o "$TMPDIR/trufflehog.tar.gz" "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRH_VER}/trufflehog_${TRH_VER}_Linux_x86_64.tar.gz" + tar -xzf "$TMPDIR/trufflehog.tar.gz" -C "$TMPDIR" + sudo install "$TMPDIR/trufflehog" /usr/local/bin/trufflehog + + - name: Run TruffleHog (filesystem JSON) + continue-on-error: true + shell: bash + run: | + trufflehog filesystem . --json --only-verified > secrets_report/trufflehog.json - name: Validate TruffleHog JSON continue-on-error: true From 8e4636ee463ec839dc7f95a5e0068a3a1c6ccc5c Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 19:40:05 -0800 Subject: [PATCH 24/30] fix download url Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index 220978e..c39aa4d 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -126,7 +126,7 @@ runs: set -euo pipefail TRH_VER=3.92.4 TMPDIR="$(mktemp -d)" - curl -sSL -o "$TMPDIR/trufflehog.tar.gz" "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRH_VER}/trufflehog_${TRH_VER}_Linux_x86_64.tar.gz" + curl -sSL -o "$TMPDIR/trufflehog.tar.gz" "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRH_VER}/trufflehog_${TRH_VER}_linux_amd64.tar.gz" tar -xzf "$TMPDIR/trufflehog.tar.gz" -C "$TMPDIR" sudo install "$TMPDIR/trufflehog" /usr/local/bin/trufflehog From 5b402a1886828beba64d428e2edda041e7cd9e57 Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 19:46:23 -0800 Subject: [PATCH 25/30] no validation Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index c39aa4d..660ea89 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -134,18 +134,7 @@ runs: continue-on-error: true shell: bash run: | - trufflehog filesystem . --json --only-verified > secrets_report/trufflehog.json - - - name: Validate TruffleHog JSON - continue-on-error: true - shell: bash - run: | - if [ -f secrets_report/trufflehog.json ] && [ -s secrets_report/trufflehog.json ]; then - echo "TruffleHog JSON report generated successfully" - head -c 200 secrets_report/trufflehog.json - else - echo "No TruffleHog findings or report not created" - fi + trufflehog filesystem --json --only-verified . > secrets_report/trufflehog.json - name: Upload combined results artifact uses: actions/upload-artifact@v4 From 2ff9fbaa57edcb93cf1591b82a30d5168bf2f69f Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 19:56:46 -0800 Subject: [PATCH 26/30] no update Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index 660ea89..4d375d4 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -128,13 +128,16 @@ runs: TMPDIR="$(mktemp -d)" curl -sSL -o "$TMPDIR/trufflehog.tar.gz" "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRH_VER}/trufflehog_${TRH_VER}_linux_amd64.tar.gz" tar -xzf "$TMPDIR/trufflehog.tar.gz" -C "$TMPDIR" - sudo install "$TMPDIR/trufflehog" /usr/local/bin/trufflehog + install "$TMPDIR/trufflehog" "$RUNNER_TEMP/trufflehog" + chmod +x "$RUNNER_TEMP/trufflehog" - name: Run TruffleHog (filesystem JSON) continue-on-error: true shell: bash + env: + TRUFFLEHOG_NO_UPDATE: "1" run: | - trufflehog filesystem --json --only-verified . > secrets_report/trufflehog.json + "$RUNNER_TEMP/trufflehog" filesystem . --json --only-verified > secrets_report/trufflehog.json - name: Upload combined results artifact uses: actions/upload-artifact@v4 From 6151aaea6dce1a57a30bd1e133fe13f718a6a21e Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 20:04:03 -0800 Subject: [PATCH 27/30] update version Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index 4d375d4..6354a00 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -140,7 +140,7 @@ runs: "$RUNNER_TEMP/trufflehog" filesystem . --json --only-verified > secrets_report/trufflehog.json - name: Upload combined results artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6.0.0 with: name: secrets-scan-results path: secrets_report From 52de5d1109045aed6940ae060381091bbe97caae Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 20:06:47 -0800 Subject: [PATCH 28/30] fix command Signed-off-by: ms280690 --- .github/actions/detect-secrets/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/detect-secrets/action.yaml b/.github/actions/detect-secrets/action.yaml index 6354a00..bc0b236 100644 --- a/.github/actions/detect-secrets/action.yaml +++ b/.github/actions/detect-secrets/action.yaml @@ -137,7 +137,7 @@ runs: env: TRUFFLEHOG_NO_UPDATE: "1" run: | - "$RUNNER_TEMP/trufflehog" filesystem . --json --only-verified > secrets_report/trufflehog.json + "$RUNNER_TEMP/trufflehog" filesystem . --json --only-verified 2>&1 | tee secrets_report/trufflehog.json - name: Upload combined results artifact uses: actions/upload-artifact@v6.0.0 From 4ad960d5964045ffeff8a498e45199125970341e Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 21:07:03 -0800 Subject: [PATCH 29/30] change branch name Signed-off-by: ms280690 --- .github/workflows/detect-secrets.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/detect-secrets.yaml b/.github/workflows/detect-secrets.yaml index 9a5b1c8..f302e09 100644 --- a/.github/workflows/detect-secrets.yaml +++ b/.github/workflows/detect-secrets.yaml @@ -2,10 +2,10 @@ name: Secrets Scan Workflow on: push: branches: - - detect-secrets + - main pull_request: branches: - - detect-secrets + - main permissions: contents: read From b6687858a4228b0a04f7bc04baf4a118ca0f8239 Mon Sep 17 00:00:00 2001 From: ms280690 Date: Sat, 27 Dec 2025 21:07:17 -0800 Subject: [PATCH 30/30] for local dev Signed-off-by: ms280690 --- .gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b694934 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.venv \ No newline at end of file