From ccd86df696409f000d6224fb9dd29922bcc79bf6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Canal?= Date: Tue, 19 Oct 2021 14:24:19 -0300 Subject: [PATCH 1/2] Refactor entrypoint and add --allow argument --- action.yml | 8 ++++++-- entrypoint.sh | 31 ++++++++++++++++++------------- 2 files changed, 24 insertions(+), 15 deletions(-) diff --git a/action.yml b/action.yml index 396cdf2..c91d716 100644 --- a/action.yml +++ b/action.yml @@ -2,18 +2,22 @@ name: "Secret Scan" description: "Scan your repository for secrets" author: "Max Schoening " inputs: - include_path: + include_path: description: 'Path to the configuration file with include path patterns' required: false - exclude_path: + exclude_path: description: 'Path to the configuration file with exclude path patterns' required: false + allowed_patterns: + description: 'Path to the configuration file with allowed patterns' + required: false runs: using: "docker" image: "Dockerfile" args: - ${{ inputs.include_path }} - ${{ inputs.exclude_path }} + - ${{ inputs.allowed_patterns }} branding: icon: lock color: red diff --git a/entrypoint.sh b/entrypoint.sh index a69626d..06bd1ab 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -2,16 +2,21 @@ set -e -if [ -f "$INPUT_INCLUDE_PATH" ] && [[ -f "$INPUT_EXCLUDE_PATH" ]]; then - echo "Running TruffleHog with include and exclude paths." - trufflehog --include_paths $INPUT_INCLUDE_PATH --exclude_paths $INPUT_EXCLUDE_PATH $GITHUB_WORKSPACE -elif [ -f "$INPUT_INCLUDE_PATH" ] ; then - echo "Running TruffleHog with include paths." - trufflehog --include_paths $INPUT_INCLUDE_PATH $GITHUB_WORKSPACE -elif [ -f "$INPUT_EXCLUDE_PATH" ] ; then - echo "Running TruffleHog with exclude paths." - trufflehog --exclude_paths $INPUT_EXCLUDE_PATH $GITHUB_WORKSPACE -else - echo "Running TruffleHog without path filters." - trufflehog $GITHUB_WORKSPACE -fi \ No newline at end of file +# https://github.com/koalaman/shellcheck/wiki/Sc2086#exceptions +# https://wiki.bash-hackers.org/syntax/pe#use_an_alternate_value +# https://unix.stackexchange.com/questions/131766/why-does-my-shell-script-choke-on-whitespace-or-other-special-characters/131767#131767 +# Prepare the command +set -- trufflehog +set -- "$@" ${INPUT_INCLUDE_PATH:+--include_paths "$INPUT_INCLUDE_PATH"} +set -- "$@" ${INPUT_EXCLUDE_PATH:+--exclude_paths "$INPUT_EXCLUDE_PATH"} +set -- "$@" ${INPUT_ALLOWED_PATTERNS:+--allow "$INPUT_ALLOWED_PATTERNS"} +set -- "$@" "$GITHUB_WORKSPACE" + +# Print the command +cat << COMMAND > /dev/stdout +Running truffleHog with command: +$@ +COMMAND + +# Run the command +"$@" From 4283758f8fc440bb0ae708119074940fa19d3046 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Canal?= Date: Tue, 19 Oct 2021 14:35:28 -0300 Subject: [PATCH 2/2] Update README with the --allow argument --- README.md | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2f4047e..d50b126 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,8 @@ jobs: ## Example with path filters +Use path filters to manage the set of objects that will be scanned. + ```yaml on: push name: Find Secrets @@ -31,4 +33,21 @@ jobs: exclude_path: 'configuration/exclude_paths.txt' ``` -For more information about the format of the configuration files for include or exclude paths, please refer to [TruffleHog](https://github.com/dxa4481/truffleHog). \ No newline at end of file +## Example with allowed patterns + +Use a JSON file to allow secrets that shouldn't trigger a warning. + +```yaml +on: push +name: Find Secrets +jobs: + main: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: max/secret-scan@master + with: + allowed_patterns: 'configuration/allowed_patterns.json' +``` + +For more information about the format of the configuration files for each additional parameter, please refer to [truffleHog](https://github.com/trufflesecurity/truffleHog) documentation.