feat(ci): add trufflehog secrets detection (#31344)
This commit is contained in:
29
.github/workflows/trufflehog.yml
vendored
Normal file
29
.github/workflows/trufflehog.yml
vendored
Normal file
@@ -0,0 +1,29 @@
|
|||||||
|
on:
|
||||||
|
push:
|
||||||
|
|
||||||
|
name: Secret Leaks
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
trufflehog:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- shell: bash
|
||||||
|
run: |
|
||||||
|
if [ "${{ github.event_name }}" == "push" ]; then
|
||||||
|
echo "depth=$(($(jq length <<< '${{ toJson(github.event.commits) }}') + 2))" >> $GITHUB_ENV
|
||||||
|
echo "branch=${{ github.ref_name }}" >> $GITHUB_ENV
|
||||||
|
fi
|
||||||
|
if [ "${{ github.event_name }}" == "pull_request" ]; then
|
||||||
|
echo "depth=$((${{ github.event.pull_request.commits }}+2))" >> $GITHUB_ENV
|
||||||
|
echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
|
||||||
|
fi
|
||||||
|
- name: Checkout code
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
ref: ${{env.branch}}
|
||||||
|
fetch-depth: ${{env.depth}}
|
||||||
|
- name: Secret Scanning
|
||||||
|
uses: trufflesecurity/trufflehog@main
|
||||||
Reference in New Issue
Block a user