feat(ci): add trufflehog secrets detection (#31344)

348e2294 · Luc Georges · GitHub · 17896f67 · 348e2294
Unverified Commit 348e2294 authored Jun 12, 2024 by Luc Georges Committed by GitHub Jun 12, 2024
Show whitespace changes
Inline Side-by-side

Showing with 29 additions and 0 deletions

.github/workflows/trufflehog.yml .github/workflows/trufflehog.yml +29 -0

No files found.
--- a/.github/workflows/trufflehog.yml
+++ b/.github/workflows/trufflehog.yml
+on:
+  push:
+name: Secret Leaks
+permissions:
+  contents: read
+jobs:
+  trufflehog:
+    runs-on: ubuntu-latest
+    steps:
+    - shell: bash
+      run: |
+        if [ "${{ github.event_name }}" == "push" ]; then
+          echo "depth=$(($(jq length <<< '${{ toJson(github.event.commits) }}') + 2))" >> $GITHUB_ENV
+          echo "branch=${{ github.ref_name }}" >> $GITHUB_ENV
+        fi
+        if [ "${{ github.event_name }}" == "pull_request" ]; then
+          echo "depth=$((${{ github.event.pull_request.commits }}+2))" >> $GITHUB_ENV
+          echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
+        fi
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        ref: ${{env.branch}}
+        fetch-depth: ${{env.depth}}
+    - name: Secret Scanning
+      uses: trufflesecurity/trufflehog@main