From 92b698584aee28471a030cd1eb6f7222467f9856 Mon Sep 17 00:00:00 2001 From: Ethan Date: Fri, 27 Oct 2023 09:22:32 -0400 Subject: [PATCH] add secret scanning workflow (#11053) **What this PR does / why we need it**: Short PR to add GitHub Action workflow to run Trufflehog on each PR. Will only fail/alert on verified secrets. This can be tweaked and configured later if need be. **Which issue(s) this PR fixes**: Fixes # **Special notes for your reviewer**: **Checklist** - [ ] Reviewed the [`CONTRIBUTING.md`](https://github.com/grafana/loki/blob/main/CONTRIBUTING.md) guide (**required**) - [ ] Documentation added - [ ] Tests updated - [ ] `CHANGELOG.md` updated - [ ] If the change is worth mentioning in the release notes, add `add-to-release-notes` label - [ ] Changes that require user attention or interaction to upgrade are documented in `docs/sources/setup/upgrade/_index.md` - [ ] For Helm chart changes bump the Helm chart version in `production/helm/loki/Chart.yaml` and update `production/helm/loki/CHANGELOG.md` and `production/helm/loki/README.md`. [Example PR](https://github.com/grafana/loki/commit/d10549e3ece02120974929894ee333d07755d213) - [ ] If the change is deprecating or removing a configuration option, update the `deprecated-config.yaml` and `deleted-config.yaml` files respectively in the `tools/deprecated-config-checker` directory. Co-authored-by: Michel Hollands <42814411+MichelHollands@users.noreply.github.com> --- .github/workflows/secret-scanning.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .github/workflows/secret-scanning.yml diff --git a/.github/workflows/secret-scanning.yml b/.github/workflows/secret-scanning.yml new file mode 100644 index 0000000000000..2aab74fa09f78 --- /dev/null +++ b/.github/workflows/secret-scanning.yml @@ -0,0 +1,17 @@ +name: TruffleHog Secrets Scan +on: [pull_request] +jobs: + TruffleHog: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: TruffleHog OSS + uses: trufflesecurity/trufflehog@main + with: + path: ./ + base: ${{ github.event.repository.default_branch }} + head: HEAD + extra_args: --debug --only-verified