Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Trufflehog check for each PR #81

Merged
merged 1 commit into from
Sep 26, 2023
Merged

Add Trufflehog check for each PR #81

merged 1 commit into from
Sep 26, 2023

Conversation

janaknat
Copy link
Contributor

This ensures no secrets are committed as part of a PR.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@wash-amzn
Copy link
Contributor

It kind of looks like the scan didn't work (even though it "passed")

2023-09-18T22:38:19Z	info-1	trufflehog	cloned repo	{"path": "./"}
2023-09-18T22:38:[19](https://github.com/aws/aperf/actions/runs/6228769763/job/16906086601?pr=81#step:4:20)Z	info-0	trufflehog	error scanning repository	{"job_id": 1, "source_manager_worker_id": "4WORD", "source_type": "SOURCE_TYPE_GIT", "source_name": "trufflehog - git", "repo": "./", "error": "unable to resolve base ref: no base refs succeeded for base: \"main\""}
[20](https://github.com/aws/aperf/actions/runs/6228769763/job/16906086601?pr=81#step:4:21)23-09-18T22:38:19Z	info-1	trufflehog	Git source finished scanning	{"job_id": 1, "source_manager_worker_id": "4WORD", "source_type": "SOURCE_TYPE_GIT", "source_name": "trufflehog - git", "repo_count": 1}

wash-amzn
wash-amzn reviewed Sep 19, 2023
View reviewed changes
.github/workflows/secrets.yml
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.repository.default_branch }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will this scan the content of PRs, or will it wind up scanning main?

I suggest adding a commit with credentials and verifying this actually works.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also check if it works from a fork (normal PR)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added the test-key from the trufflehog repo (a private RSA key) and it was detected by the Github action.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't appear that the scan actually complained about the private key, but instead the URL above it

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove the URL and it flagged a base64 encoding.

@janaknat
Copy link
Contributor Author

It kind of looks like the scan didn't work (even though it "passed")

2023-09-18T22:38:19Z	info-1	trufflehog	cloned repo	{"path": "./"}
2023-09-18T22:38:[19](https://github.com/aws/aperf/actions/runs/6228769763/job/16906086601?pr=81#step:4:20)Z	info-0	trufflehog	error scanning repository	{"job_id": 1, "source_manager_worker_id": "4WORD", "source_type": "SOURCE_TYPE_GIT", "source_name": "trufflehog - git", "repo": "./", "error": "unable to resolve base ref: no base refs succeeded for base: \"main\""}
[20](https://github.com/aws/aperf/actions/runs/6228769763/job/16906086601?pr=81#step:4:21)23-09-18T22:38:19Z	info-1	trufflehog	Git source finished scanning	{"job_id": 1, "source_manager_worker_id": "4WORD", "source_type": "SOURCE_TYPE_GIT", "source_name": "trufflehog - git", "repo_count": 1}

Yeah. Trying to figure that out. I went by the example in the README for the project.

@janaknat
Copy link
Contributor Author

It kind of looks like the scan didn't work (even though it "passed")

2023-09-18T22:38:19Z	info-1	trufflehog	cloned repo	{"path": "./"}
2023-09-18T22:38:[19](https://github.com/aws/aperf/actions/runs/6228769763/job/16906086601?pr=81#step:4:20)Z	info-0	trufflehog	error scanning repository	{"job_id": 1, "source_manager_worker_id": "4WORD", "source_type": "SOURCE_TYPE_GIT", "source_name": "trufflehog - git", "repo": "./", "error": "unable to resolve base ref: no base refs succeeded for base: \"main\""}
[20](https://github.com/aws/aperf/actions/runs/6228769763/job/16906086601?pr=81#step:4:21)23-09-18T22:38:19Z	info-1	trufflehog	Git source finished scanning	{"job_id": 1, "source_manager_worker_id": "4WORD", "source_type": "SOURCE_TYPE_GIT", "source_name": "trufflehog - git", "repo_count": 1}

Yeah. Trying to figure that out. I went by the example in the README for the project.

Hopefully it's not because this is a private repo.

@janaknat janaknat force-pushed the janaknat-patch-2 branch 2 times, most recently from cf00f6d to 262f35b Compare September 19, 2023 20:33
wash-amzn
wash-amzn reviewed Sep 20, 2023
View reviewed changes
test-key Outdated
Comment on lines 6 to 44
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAjNIZuun
xgLkM8KuzfmQuRAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQDe3Al0EMPz
utVNk5DixaYrGMK56RqUoqGBinke6SWVWmqom1lBcJWzor6HlnMRPPr7YCEsJKL4IpuVwu
inRa5kdtNTyM7yyQTSR2xXCS0fUItNuq8pUktsH8VUggpMeew8hJv7rFA7tnIg3UXCl6iF
OLZKbDA5aa24idpcD8b1I9/RzTOB1fu0of5xd9vgODzGw5JvHQSJ0FaA42aNBMGwrDhDB3
sgnRNdWf6NNIh8KpXXMKJADf3klsyn6He8L2bPMp8a4wwys2YB35p5zQ0JURovsdewlOxH
NT7eP19eVf4dCreibxUmRUaob5DEoHEk8WrxjKWIYUuLeD6AfcW6oXyRU2Yy8Vrt6SqFl5
WAi47VMFTkDZYS/eCvG53q9UBHpCj7Qvb0vSkCZXBvBIhlw193F3PX4WvO1IXsMwvQ1D1X
lmomsItbqM0cJyKw6LU18QWiBHvE7BqcphaoL5E08W2ATTSRIMCp6rt4rptM7KyGK8rc6W
UYrCnWt6KlCA8AAAWQXk+lVx6bH5itIKKYmQr6cR/5xtZ2GHAxnYtvlW3xnGhU0MHv+lJ2
uoWlT2RXE5pdMUQj7rNWAMqkwifSKZs9wBfYeo1TaFDmC3nW7yHSN3XTuO78mPIW5JyvmE
Rj5qjsUn7fNmzECoAxnVERhwnF3KqUBEPzIAc6/7v/na9NTiiGaJPco9lvCoPWbVLN08WG
SuyU+0x5zc3ebzuPcYqu5/c5nmiGxhALrIhjIS0OV1mtAAFhvdMjMIHOijOzSKVCC7rRk5
kG9EMLNvOn/DUVSRHamw5gs2V3V+Zq2g5nYWfgq8aDSTB8XlIzOj1cz3HwfN6pfSNQ/3Qe
wOQfWfTWdO+JSL8aoBN5Wg8tDbgmvmbFrINsJfFfSm0wZgcHhC7Ul4U3v4c8PoNdK9HXwi
TKKzJ9nxLYb+vDh50cnkseu2gt0KwVpjIorxEqeK755mKPao3JmOMr6uFTQsb+g+ZNgPwl
nRHA4Igx+zADFj3twldnKIiRpBQ5J4acur3uQ+saanBTXgul1TiFiUGT2cnz+IiCsdPovg
TAMt868W5LmzpfH4Cy54JtaRC4/UuMnkTGbWgutVDnWj2stOAzsQ1YmhH5igUmc94mUL+W
8vQDCKpeI8n+quDS9zxTvy4L4H5Iz7OZlh0h6N13BDvCYXKcNF/ugkfxZbu8mZsZQQzXNR
wOrEtKoHc4AnXYNzsuHEoEyLyJxGfFRDSTLbyN9wFOS/c0k9Gjte+kQRZjBVGORE5sN6X3
akUnTF76RhbEc+LamrwM1h5340bwosRbR8I+UrsQdFfJBEj1ZSyMRJlMkFUNi6blt7bhyx
ea+Pm2A614nlYUBjw2KKzzn8N/0H2NpJjIptvDsbrx3BS/rKwOeJwavRrGnIlEzuAag4vx
Zb2TPVta45uz7fQP5IBl83b0BJKI5Zv/fniUeLI78W/UsZqb64YQbfRyBzFtI1T/SsCi0B
e0EyKMzbxtSceT1Mb8eJiVIq04Xpwez9fIUt5rSedZD8KPq8P6s0cGsR7Qmw6eXZ/dBR/a
s5vPhfIUmQawmnwAVuWNRdQQ79jUBSn5M+ZRVVTgEG+vFyvxr/bZqOo1JCoq5BmQhLWGRJ
Dk9TolbeFIVFrkuXkcu99a079ux7XSkON64oPzHrcsEzjPA1GPqs9CGBSO16wq/nI3zg+E
kcOCaurc9yHJJPwduem0+8WLX3WoGNfQRKurtQze2ppy8KarEtDhDd96sKkhYaqOg3GOX8
Yx827L4vuWSJSIqKuO2kH6kOCMUNO16piv0z/8u3CJxOGh9+4FZIop81fiFTKLhV3/gwLm
fzFY++KIZrLfZcUjzd80NNEja69F452Eb9HrI5BurN/PznDEi9bzM598Y7beyl4/kd4R2e
S7SW9/LOrGw5UgxtiU+kV8nPz1PdgxO4sRlnntSBEwkQBzMkLOpq2h2BuJ2TlMP/TWuwLQ
sDkv1Yk1pD0roGmtMzbujnURGxqRJ8gUmuIot4hpfyRSssvnRQQZ3lQCQCwHiE+HJxXWf5
c58zOMjW7o21tI8e13uUnbRoQVJM9XYqk1usPXIkYPYL9uOw3AW/Zn+cnDrsXvTK9ZxgGD
/90b1BNwVqMlUK+QggHNwl5qD8eoXK5cDvav66te+E+V7FYFQ06w3tytRVz8SjoaiChN02
muIjvl6G7Hoj1hObM2t/ZheN1EShS11z868hhS6Mx7GvIdtkXuvdiBYMiBLOshJQxB8Mzx
iug9W+Di3upLf0UMC1TqADGphsIHRU7RbmHQ8Rwp7dogswmDfpRSapPt9p0D+6Ad5VBzi3
f3BPXj76UBLMEJCrZR1P28vnAA7AyNHaLvMPlWDMG5v3V/UV+ugyFcoBAOyjiQgYST8F3e
Hx7UPVlTK8dyvk1Z+Yw0nrfNClI=
-----END OPENSSH PRIVATE KEY-----
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Naughty naughty!

@janaknat
Add Trufflehog check for each PR
25d7708 
This ensures no secrets are committed as part of a PR.
@janaknat janaknat merged commit d284d38 into main Sep 26, 2023
5 checks passed
@janaknat janaknat deleted the janaknat-patch-2 branch October 3, 2023 19:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wash-amzn wash-amzn wash-amzn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@janaknat @wash-amzn