|
7 | 7 | branches: [ main ] |
8 | 8 | workflow_dispatch: |
9 | 9 |
|
10 | | -# Required permissions for code scanning API |
| 10 | +# Required permissions for code scanning API and committing reports |
11 | 11 | permissions: |
12 | 12 | security-events: write |
13 | 13 | actions: read |
14 | | - contents: read |
| 14 | + contents: write # Upgraded from 'read' to 'write' to allow committing files |
15 | 15 |
|
16 | 16 | jobs: |
17 | 17 | secrets-scanning: |
|
31 | 31 | uses: trufflesecurity/trufflehog@v3.63.7 |
32 | 32 | with: |
33 | 33 | path: ./ |
34 | | - extra_args: --debug --json |
35 | | - |
36 | | - # Generate TruffleHog report in docs/reports |
37 | | - - name: Generate TruffleHog report |
38 | | - run: | |
39 | | - echo "Running TruffleHog scan manually to save report" |
40 | | - docker run --rm -v $(pwd):/pwd trufflesecurity/trufflehog:latest github --repo file:///pwd --json > ./docs/reports/trufflehog-results.json || true |
| 34 | + extra_args: --debug --json |
41 | 35 |
|
42 | 36 | # Upload TruffleHog results as artifact |
43 | 37 | - name: Upload TruffleHog results |
@@ -411,6 +405,9 @@ jobs: |
411 | 405 | steps: |
412 | 406 | - name: Checkout code |
413 | 407 | uses: actions/checkout@v4 |
| 408 | + with: |
| 409 | + token: ${{ github.token }} # Use GitHub token for authentication |
| 410 | + fetch-depth: 0 # Full history for proper commits |
414 | 411 |
|
415 | 412 | - name: Download all artifacts |
416 | 413 | uses: actions/download-artifact@v4 |
@@ -452,15 +449,43 @@ jobs: |
452 | 449 | echo "Saved reports in docs/reports directory:" |
453 | 450 | ls -la ./docs/reports/ |
454 | 451 | |
455 | | - # Option to commit the reports directly to the repository |
456 | | - - name: Create local commit with reports (optional) |
457 | | - if: github.event_name == 'workflow_dispatch' |
| 452 | + # Commit and push the reports to the repository |
| 453 | + - name: Commit and push reports to the repository |
458 | 454 | run: | |
459 | | - git config --local user.email "action@github.com" |
460 | | - git config --local user.name "GitHub Action" |
| 455 | + # Configure git |
| 456 | + git config --local user.email "github-actions[bot]@users.noreply.github.com" |
| 457 | + git config --local user.name "github-actions[bot]" |
| 458 | + |
| 459 | + # Check for changes in remote and pull if needed |
| 460 | + echo "Checking for updates from remote..." |
| 461 | + git pull origin ${GITHUB_REF_NAME} --no-rebase || echo "Failed to pull, proceeding anyway" |
| 462 | + |
| 463 | + # Ensure docs/reports directory exists |
| 464 | + mkdir -p ./docs/reports/ |
| 465 | + |
| 466 | + # Stage the changes |
| 467 | + echo "Adding report files to git..." |
461 | 468 | git add ./docs/reports/ |
462 | | - git commit -m "Add scan reports [skip ci]" || echo "No changes to commit" |
463 | | - echo "Reports committed to the repository. Use git push to push these changes." |
| 469 | + |
| 470 | + # Verify changes were staged |
| 471 | + git status |
| 472 | + |
| 473 | + # Check if there are changes to commit |
| 474 | + if git diff --staged --quiet; then |
| 475 | + echo "No changes to commit" |
| 476 | + else |
| 477 | + # Commit the changes |
| 478 | + echo "Committing report files..." |
| 479 | + git commit -m "Add security scan reports [skip ci]" |
| 480 | + |
| 481 | + # Push to the repository |
| 482 | + echo "Pushing changes to the repository..." |
| 483 | + git push origin ${GITHUB_REF_NAME} |
| 484 | + |
| 485 | + echo "Reports have been committed and pushed to the repository." |
| 486 | + echo "View them at: https://github.com/${GITHUB_REPOSITORY}/tree/${GITHUB_REF_NAME}/docs/reports" |
| 487 | + fi |
| 488 | + continue-on-error: true # Continue workflow even if push fails |
464 | 489 |
|
465 | 490 | defectdojo-import: |
466 | 491 | name: Import Results to DefectDojo |
|
0 commit comments