Skip to content

cloudbees-io/trufflehog-secret-scan-code

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

43 Commits
CODEOWNERS
CODEOWNERS
 
 
LICENSE
LICENSE
 
 
README.adoc
README.adoc
 
 
action.yml
action.yml
 
 

Repository files navigation

CloudBees action: Scan code with TruffleHog

Use this action to detect secrets and sensitive information in the codebase with TruffleHog, an open-source secret scanning tool.

This action provides flexibility by allowing users to scan a local codebase or else provide a URL to scan a remote repository. When a repository URL is specified, the TruffleHog action examines the code directly from the specified repository. If no URL is provided, the action scans the code present in the local working directory.

Inputs

Table 1. Input details
Input name Data type Required Description

token

string

No

The token for authentication.

repoUrl

string

No

The URL of the Git repository to scan. If repoUrl is not specified, the current repository is scanned.

branch

string

Yes

The branch of the repository to scan. If repoUrl is not specified, this must be the current branch.

path

string

No

The path of the directory to scan. If not specified, the standard CloudBees workspace directory is scanned.

since-commit

string

No

The commit hash or branch name to start the scan from.

threshold-very-high

integer

No

The number threshold of very high severity vulnerabilities at which the build is broken.

only-verified

String

No

Enables the verified flag to scan only verified secrets. The default is true.[1]
Important

[1] If only-verified is set to true, The TruffleHog tool may utilize an external third-party API to verify the secrets detected.

Customers concerned about security implications involving third-party API calls should set the only-verified value to false, which returns all the secrets without verification and might include false positives. Refer to the TruffleHog credential verification documentation for more information.

Usage examples

Add any of the below examples to your YAML file.

To scan a repository branch:

      - name: Run TruffleHog code scan
        uses: cloudbees-io/trufflehog-secret-scan-code@v1
        with:
          token: ${{ secrets.TOKEN }}
          repoUrl: ${{ repositoryUrl }}
          branch: ${{ branch }}

To scan a local codebase:

    steps:
      - name: Check out source code
        uses: cloudbees-io/checkout@v1

      - name: Run TruffleHog secret scan on local source code
        uses: cloudbees-io/trufflehog-secret-scan-code@v1
        with:
          branch: ${{ cloudbees.scm.branch }}

To scan the entire history of a local codebase branch:

    steps:
      - name: Check out source code
        uses: cloudbees-io/checkout@v1
        with:
          fetch-depth: 0 # Fetch the full history

      - name: Run TruffleHog scan on full history
        uses: cloudbees-io/trufflehog-secret-scan-code@v1
        with:
          branch: ${{ cloudbees.scm.branch }}

In the following example, if there are more than three very high severity vulnerabilities identified, the build is broken.

      - name: Check out source code
        uses: cloudbees-io/checkout@v1

      - name: Run TruffleHog secret scan with threshold
        uses: cloudbees-io/trufflehog-secret-scan-code@v1
        with:
          branch: ${{ cloudbees.scm.branch }}
          threshold-very-high: 3

In the following example, a local codebase is scanned from a specified commit hash. Fetching the entire history is required for this usage.

      - name: Check out source code
        uses: cloudbees-io/checkout@v1
        with:
        fetch-depth: 0 # Fetch the full history

      - name: Run TruffleHog starting from commit
        uses: cloudbees-io/trufflehog-secret-scan-code@v1
        with:
          branch: ${{ cloudbees.scm.branch }}
          since-commit: ${{ commit.hash }} # Scan starting point
          threshold-very-high: 3

In the following example, a local codebase is scanned from the last commit of the main branch up to the latest commit of the current branch. Fetching the entire history is required for this usage.

      - name: Check out source code
        uses: cloudbees-io/checkout@v1
        with:
        fetch-depth: 0 # Fetch the full history

      - name: Run TruffleHog scan since a commit
        uses: cloudbees-io/trufflehog-secret-scan-code@v1
        with:
          branch: ${{ cloudbees.scm.branch }} # Current branch
          since-commit: "main" # Scan starting point
          threshold-very-high: 3

To scan a given repository from a specified commit hash:

      - name: Run TruffleHog code scan on a repo
        uses: cloudbees-io/trufflehog-secret-scan-code@v1
        with:
          token: ${{ secrets.TOKEN }}
          repoUrl: ${{ repositoryUrl }}
          branch: ${{ branch }}
          since-commit: ${{ commit.hash }} # Scan starting point
Note
 In the example above, if both the since-commit and branch parameters are set to the same value, the scan detects no changes.

To scan a repository branch with only-verified set to false, which might return false positives:

      - name: Run TruffleHog code scan with no verification
        uses: cloudbees-io/trufflehog-secret-scan-code@v1
        with:
          token: ${{ secrets.TOKEN }}
          repoUrl: ${{ repositoryUrl }}
          branch: ${{ branch }}
          only-verified: false

License

This code is made available under the MIT license.

References

About

No description or website provided.

Topics

cb-actions

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

5 watching

Forks

0 forks
Report repository

Releases 6

v1 Latest
Apr 25, 2025
+ 5 releases

Packages

No packages published

Contributors 6