Skip to content
Secret Scan

Handle None span context in the span processor and pin tokenizers version for anthropic tests on Python 3.8 #8339

Sign in to view logs

Handle None span context in the span processor and pin tokenizers version for anthropic tests on Python 3.8

Handle None span context in the span processor and pin tokenizers version for anthropic tests on Python 3.8 #8339

Workflow file for this run

getsentry/.github/.github/workflows/secret-scan.yml at 128ef284ea24f7750d8cb70c1f8098a36afdff32
name: Secret Scan
on: [pull_request, merge_group]
jobs:
secret-scan:
name: Secret Scan
runs-on: ubuntu-latest
permissions:
contents: "read"
outputs:
latest_release: ${{ steps.trufflehog_release.outputs.latest_release }}
latest_tag_name: ${{ steps.trufflehog_release.outputs.latest_tag_name }}
steps:
- name: Checkout Code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Cosign
# v4 of the action install v3 of the CLI. v4 of the CLI will deprecate some features so be aware.
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
- name: Pin Trufflehog to a known good release
id: trufflehog_release
shell: bash
env:
GH_TOKEN: ${{ github.token }}
run: |
LATEST_TAG_NAME=$(gh api repos/trufflesecurity/trufflehog/releases --jq '.[1].tag_name')
if [[ -z "$LATEST_TAG_NAME" || "$LATEST_TAG_NAME" == "null" ]]; then
echo "::error::Failed to fetch TruffleHog release info"
exit 1
fi
echo "Using TruffleHog version: $LATEST_TAG_NAME"
echo "latest_tag_name=$LATEST_TAG_NAME" >> "$GITHUB_OUTPUT"
echo "latest_release=${LATEST_TAG_NAME#v}" >> "$GITHUB_OUTPUT"
- name: Download and verify TruffleHog release
run: |
curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt
curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem
curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig
curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_linux_amd64.tar.gz
cosign verify-blob trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt \
--certificate trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem \
--signature trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig \
--certificate-identity-regexp 'https://github\.com/trufflesecurity/trufflehog/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
sha256sum --ignore-missing -c trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt
- name: Extract TruffleHog
run: |
tar xzf trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_linux_amd64.tar.gz -C /usr/local/bin
chmod +x /usr/local/bin/trufflehog
- name: Run TruffleHog scan
continue-on-error: true
id: scan
run: |
if [ -e .secret_scan_ignore ]; then
trufflehog git file://. --only-verified --github-actions --fail --exclude-paths=.secret_scan_ignore --exclude-detectors="datadogtoken"
else
trufflehog git file://. --only-verified --github-actions --fail --exclude-detectors="datadogtoken"
fi
- name: Send Alert to SIEM
id: alert
run: |
if [[ -n "${{vars.SECRET_SCAN_SIEM_WEBHOOK_URL}}" ]]; then
curl "${{vars.SECRET_SCAN_SIEM_WEBHOOK_URL}}" \
--data '{"event":"github_secret_scanning", "status":"${{steps.scan.outcome}}", "createdAt":"${{ github.event.pull_request.created_at }}", "repo":"${{ github.repository }}","pull_request":"https://github.com/${{ github.repository }}/pull/${{ github.event.pull_request.number }}","actor":"${{ github.event.pull_request.user.login }}"}'
fi
- name: Fail workflow if secret detected
if: steps.scan.outcome != 'success'
run: exit 1