├── action.yml ├── entrypoint.sh ├── Dockerfile ├── LICENSE ├── regexes.json └── README.md /action.yml: -------------------------------------------------------------------------------- 1 | name: 'Trufflehog Actions Scan' 2 | description: 'Scan repository for secrets with basic trufflehog defaults in place for easy setup.' 3 | author: 'Ed Plato' 4 | runs: 5 | using: 'docker' 6 | image: 'Dockerfile' 7 | inputs: 8 | scanArguments: 9 | description: 'Argument options for scan.' 10 | required: false 11 | branding: 12 | icon: 'shield' 13 | color: 'yellow' 14 | -------------------------------------------------------------------------------- /entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | set -e # Abort script at first error 4 | 5 | args="--regex --entropy=False --max_depth=50" # Default trufflehog options 6 | 7 | if [ -n "${INPUT_SCANARGUMENTS}" ]; then 8 | args="${INPUT_SCANARGUMENTS}" # Overwrite if new options string is provided 9 | fi 10 | 11 | git config --global --add safe.directory '*' 12 | 13 | # By default the 'WORKDIR' of our Docker image is set to the 'GITHUB_WORKSPACE' 14 | # which is mounted into our image. This means, as long as a checkout action was 15 | # done before our action runs, we'll have access to the repository. 16 | githubRepo="file://$(pwd)" # Default target repository 17 | query="$args $githubRepo" # Build args query with repository url 18 | trufflehog $query 19 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.7-alpine 2 | 3 | ENV HTTP_PROXY=$HTTP_PROXY 4 | ENV HTTPS_PROXY=$HTTPS_PROXY 5 | ENV NO_PROXY=$NO_PROXY 6 | 7 | LABEL name="trufflehog-actions-scan" 8 | LABEL version="1.0.0" 9 | LABEL repository="https://github.com/edplato/trufflehog-actions-scan" 10 | LABEL homepage="https://github.com/edplato/trufflehog-actions-scan" 11 | LABEL maintainer="Ed Plato" 12 | 13 | LABEL "com.github.actions.name"="Trufflehog Actions Scan" 14 | LABEL "com.github.actions.description"="Scan repository for secrets with basic trufflehog defaults in place for easy setup." 15 | LABEL "com.github.actions.icon"="shield" 16 | LABEL "com.github.actions.color"="yellow" 17 | 18 | RUN pip3 install truffleHog==2.2.1 19 | RUN apk --update add git less openssh && \ 20 | rm -rf /var/lib/apt/lists/* && \ 21 | rm /var/cache/apk/* 22 | 23 | ADD entrypoint.sh /entrypoint.sh 24 | ADD regexes.json /regexes.json 25 | 26 | ENTRYPOINT ["/entrypoint.sh"] 27 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Ed Plato 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /regexes.json: -------------------------------------------------------------------------------- 1 | { 2 | "Slack Token": "(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})", 3 | "Generic Private Key POST Encapsulation Boundary": " PRIVATE KEY-----", 4 | "Generic Private Key Block POST Encapsulation Boundary": " PRIVATE KEY BLOCK-----", 5 | "Private key": "-----BEGIN PRIVATE KEY-----", 6 | "RSA private key": "-----BEGIN RSA PRIVATE KEY-----", 7 | "SSH (DSA) private key": "-----BEGIN DSA PRIVATE KEY-----", 8 | "SSH (EC) private key": "-----BEGIN EC PRIVATE KEY-----", 9 | "PGP private key block": "-----BEGIN PGP PRIVATE KEY BLOCK-----", 10 | "Amazon AWS Access Key ID": "AKIA[0-9A-Z]{16}", 11 | "Amazon MWS Auth Token": "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", 12 | "AWS API Key": "AKIA[0-9A-Z]{16}", 13 | "Bitly Key": "R_[0-9a-f]{32}", 14 | "Facebook Access Token": "EAACEdEose0cBA[0-9A-Za-z]+", 15 | "Facebook OAuth": "[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].*['|\"][0-9a-f]{32}['|\"]", 16 | "GitHub": "[g|G][i|I][t|T][h|H][u|U][b|B].*['|\"][0-9a-zA-Z]{35,40}['|\"]", 17 | "Generic API Key": "[a|A][p|P][i|I][_]?[k|K][e|E][y|Y].*['|\"][0-9a-zA-Z]{32,45}['|\"]", 18 | "Generic Secret": "[s|S][e|E][c|C][r|R][e|E][t|T].*['|\"][0-9a-zA-Z]{32,45}['|\"]", 19 | "Google API Key": "AIza[0-9A-Za-z\\-_]{35}", 20 | "Google Cloud Platform API Key": "AIza[0-9A-Za-z\\-_]{35}", 21 | "Google Cloud Platform OAuth": "[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com", 22 | "Google Drive API Key": "AIza[0-9A-Za-z\\-_]{35}", 23 | "Google Drive OAuth": "[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com", 24 | "Google (GCP) Service-account": "\"type\": \"service_account\"", 25 | "Google Gmail API Key": "AIza[0-9A-Za-z\\-_]{35}", 26 | "Google Gmail OAuth": "[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com", 27 | "Google OAuth Access Token": "ya29\\.[0-9A-Za-z\\-_]+", 28 | "Google YouTube API Key": "AIza[0-9A-Za-z\\-_]{35}", 29 | "Google YouTube OAuth": "[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com", 30 | "Heroku API Key": "[h|H][e|E][r|R][o|O][k|K][u|U].*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}", 31 | "LinkedIn API Key": "[l|L][i|I][n|N][k|K][e|E][d|D][i|I][n|N].*['|\"][0-9a-zA-Z]{16}['|\"]", 32 | "MailChimp API Key": "[0-9a-f]{32}-us[0-9]{1,2}", 33 | "Mailgun API Key": "key-[0-9a-zA-Z]{32}", 34 | "Password in URL": "[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}[\"'\\s]", 35 | "PayPal Braintree Access Token": "access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}", 36 | "Picatic API Key": "sk_live_[0-9a-z]{32}", 37 | "Slack Webhook": "https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}", 38 | "Stripe API Key": "sk_live_[0-9a-zA-Z]{24}", 39 | "Stripe Restricted API Key": "rk_live_[0-9a-zA-Z]{24}", 40 | "Square Access Token": "sq0atp-[0-9A-Za-z\\-_]{22}", 41 | "Square OAuth Secret": "sq0csp-[0-9A-Za-z\\-_]{43}", 42 | "Twilio API Key": "SK[0-9a-fA-F]{32}", 43 | "Twitter Access Token": "[t|T][w|W][i|I][t|T][t|T][e|E][r|R].*[1-9][0-9]+-[0-9a-zA-Z]{40}", 44 | "Twitter OAuth": "[t|T][w|W][i|I][t|T][t|T][e|E][r|R].*['|\"][0-9a-zA-Z]{35,44}['|\"]", 45 | "Github OAuth": " [A-Za-z0-9_]{255}" 46 | } 47 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | # Trufflehog Actions Scan :pig_nose::key: 3 | 4 | Scan recent commits in repository for secrets with basic [trufflehog](https://github.com/dxa4481/truffleHog) defaults in place for easy setup. 5 | 6 | This action is intended as a Continuous Integration secret scan in an already "clean" repository. The default commit scan depth is the last 50 commits and can be adjusted using Custom Arguments (see below). 7 | 8 | It is recommended to run a basic trufflehog scan on your entire repository prior to relying on this CI solution (Note: this can be done manually from the command line or by using this action with custom options `"--regex --entropy=False"`). 9 | 10 | ## Usage 11 | 12 | ```txt 13 | 14 | workflow "Detect Secrets" { 15 | on = "push" 16 | resolves = ["edplato/trufflehog-actions-scan"] 17 | } 18 | 19 | action "edplato/trufflehog-actions-scan" { 20 | uses = "edplato/trufflehog-actions-scan@master" 21 | } 22 | 23 | ``` 24 | 25 | Default trufflehog options for this tool include: 26 | 27 | - regex : Enable high signal regex checks 28 | 29 | - entropy disabled: Disabled entropy checks 30 | 31 | - max depth is 50: The max commit depth to go back when searching for secrets 32 | 33 | For custom regex rules: 34 | 35 | - rules: Uses custom [regexes.json](regexes/regexes.json) 36 | - Note: this is similar to the default `trufflehog` version, however this `regexes.json` will catch some additional API keys including any key Encapsulation Boundary that ends in ` PRIVATE KEY-----` or ` PRIVATE KEY BLOCK-----`. 37 | 38 | Edit your corresponding actions `yml` file or create a new one. 39 | 40 | ### Required Actions 41 | 42 | `trufflehog-actions-scan` now uses `actions/checkout@v2`. Using a previous version may cause issues with future support of this action. 43 | 44 | With `actions/checkout@v2` make sure to include `fetch-depth: 0` as shown below when checking out the repository as it will make the entire git commit history available to be scanned. Alternatively, ensure the value for `fetch-depth` is greater than the `max_depth` flag used by trufflehog to ensure that trufflehog runs at your desired commit history depth. `ref: ${{ github.head_ref }}` is necessary for pull request workflow trigger. 45 | 46 | 47 | ### Basic 48 | 49 | ```yaml 50 | steps: 51 | - uses: actions/checkout@v2 52 | with: 53 | fetch-depth: 0 54 | ref: ${{ github.head_ref }} // necessary for pull request workflow trigger 55 | - name: trufflehog-actions-scan 56 | uses: edplato/trufflehog-actions-scan@master 57 | ``` 58 | 59 | ### Custom Arguments 60 | 61 | ```yaml 62 | steps: 63 | - uses: actions/checkout@v2 64 | with: 65 | fetch-depth: 0 66 | ref: ${{ github.head_ref }} // necessary for pull request workflow trigger 67 | - name: trufflehog-actions-scan 68 | uses: edplato/trufflehog-actions-scan@master 69 | with: 70 | scanArguments: "--regex --entropy=False --max_depth=5 --rules /regexes.json" # Add custom options here* 71 | 72 | ``` 73 | 74 | * if custom options argument string is used, it will overwrite default settings 75 | * if you want to just run the `trufflehog` command with NO arguments, set as a single spaced string `" "` 76 | 77 | ### Proxy 78 | Building the docker container requires access to pypi.python.org/pypi. If you are running this action ob a self-hosted runner behind a proxy, you can configure the docker client to [flow proxy info to the container](https://docs.docker.com/network/proxy/#configure-the-docker-client). This action will respect the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` settings in `~/.docker/config.json`, if set. 79 | 80 | [MIT License](LICENSE) 81 | --------------------------------------------------------------------------------