Skip to content

Add shared secret scanner #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Jontzii merged 1 commit into from
Dec 19, 2025
Merged

Add shared secret scanner #66

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 77 additions & 0 deletions .github/workflows/shared-secret-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
name: Shared secret scan
# Note: Use this only for the private repositories and
# use the GHAS secret scanning for public ones

on:
workflow_call:
inputs:
send_email_alert:
description: "Whether to send email alerts"
type: boolean
required: false
default: false
send_slack_alert:
description: "Whether to send Slack alerts"
type: boolean
required: false
default: false
secrets:
EMAIL_USERNAME:
description: "Email username for sending alerts"
required: true
EMAIL_PASSWORD:
description: "Email password for sending alerts"
required: true
ALERT_EMAIL_RECIPIENT:
description: "Email address to send alerts to"
required: false
ALERT_SLACK_CHANNEL_EMAIL:
description: "Slack channel email address to send alerts to"
required: false

permissions:
contents: read

jobs:
trufflehog-scan:
name: Trufflehog Secret Scanning
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
fetch-depth: 0

- name: Secret Scanning
uses: trufflesecurity/trufflehog@05cccb53bc9e13bc6d17997db5a6bcc3df44bf2f # v3.92.3
with:
extra_args: --results=verified,unverified,unknown

send-alerts:
name: Send ${{ matrix.alert_type }} alert
needs: trufflehog-scan
runs-on: ubuntu-24.04
if: failure()
strategy:
matrix:
include:
- alert_type: email
enabled: ${{ inputs.send_email_alert }}
- alert_type: slack
enabled: ${{ inputs.send_slack_alert }}
steps:
- name: Send alert
if: matrix.enabled
uses: dawidd6/action-send-mail@6d98ae34d733f9a723a9e04e94f2f24ba05e1402 # v6
with:
server_address: smtp.gmail.com
server_port: 465
secure: true
username: ${{ secrets.EMAIL_USERNAME }}
password: ${{ secrets.EMAIL_PASSWORD }}
subject: "Secrets found in ${{ github.repository }}!"
to: ${{ matrix.alert_type == 'email' && secrets.ALERT_EMAIL_RECIPIENT || secrets.ALERT_SLACK_CHANNEL_EMAIL }}
from: ${{ secrets.EMAIL_USERNAME }}
body: |
Trufflehog has detected potential secrets in the repository ${{ github.repository }}!
Please review the scan results in the GitHub Actions logs ASAP and take appropriate action.