|
| 1 | +name: Shared secret scan |
| 2 | +# Note: Use this only for the private repositories and |
| 3 | +# use the GHAS secret scanning for public ones |
| 4 | + |
| 5 | +on: |
| 6 | + workflow_call: |
| 7 | + inputs: |
| 8 | + send_email_alert: |
| 9 | + description: "Whether to send email alerts" |
| 10 | + type: boolean |
| 11 | + required: false |
| 12 | + default: false |
| 13 | + send_slack_alert: |
| 14 | + description: "Whether to send Slack alerts" |
| 15 | + type: boolean |
| 16 | + required: false |
| 17 | + default: false |
| 18 | + secrets: |
| 19 | + EMAIL_USERNAME: |
| 20 | + description: "Email username for sending alerts" |
| 21 | + required: true |
| 22 | + EMAIL_PASSWORD: |
| 23 | + description: "Email password for sending alerts" |
| 24 | + required: true |
| 25 | + ALERT_EMAIL_RECIPIENT: |
| 26 | + description: "Email address to send alerts to" |
| 27 | + required: false |
| 28 | + ALERT_SLACK_CHANNEL_EMAIL: |
| 29 | + description: "Slack channel email address to send alerts to" |
| 30 | + required: false |
| 31 | + |
| 32 | +permissions: |
| 33 | + contents: read |
| 34 | + |
| 35 | +jobs: |
| 36 | + trufflehog-scan: |
| 37 | + name: Trufflehog Secret Scanning |
| 38 | + runs-on: ubuntu-24.04 |
| 39 | + steps: |
| 40 | + - name: Checkout code |
| 41 | + uses: actions/checkout@v6 |
| 42 | + with: |
| 43 | + fetch-depth: 0 |
| 44 | + |
| 45 | + - name: Secret Scanning |
| 46 | + uses: trufflesecurity/trufflehog@05cccb53bc9e13bc6d17997db5a6bcc3df44bf2f # v3.92.3 |
| 47 | + with: |
| 48 | + extra_args: --results=verified,unverified,unknown |
| 49 | + |
| 50 | + send-alerts: |
| 51 | + name: Send ${{ matrix.alert_type }} alert |
| 52 | + needs: trufflehog-scan |
| 53 | + runs-on: ubuntu-24.04 |
| 54 | + if: failure() |
| 55 | + strategy: |
| 56 | + matrix: |
| 57 | + include: |
| 58 | + - alert_type: email |
| 59 | + enabled: ${{ inputs.send_email_alert }} |
| 60 | + - alert_type: slack |
| 61 | + enabled: ${{ inputs.send_slack_alert }} |
| 62 | + steps: |
| 63 | + - name: Send alert |
| 64 | + if: matrix.enabled |
| 65 | + uses: dawidd6/action-send-mail@6d98ae34d733f9a723a9e04e94f2f24ba05e1402 # v6 |
| 66 | + with: |
| 67 | + server_address: smtp.gmail.com |
| 68 | + server_port: 465 |
| 69 | + secure: true |
| 70 | + username: ${{ secrets.EMAIL_USERNAME }} |
| 71 | + password: ${{ secrets.EMAIL_PASSWORD }} |
| 72 | + subject: "Secrets found in ${{ github.repository }}!" |
| 73 | + to: ${{ matrix.alert_type == 'email' && secrets.ALERT_EMAIL_RECIPIENT || secrets.ALERT_SLACK_CHANNEL_EMAIL }} |
| 74 | + from: ${{ secrets.EMAIL_USERNAME }} |
| 75 | + body: | |
| 76 | + Trufflehog has detected potential secrets in the repository ${{ github.repository }}! |
| 77 | + Please review the scan results in the GitHub Actions logs ASAP and take appropriate action. |
0 commit comments