Secrets Scanning #185
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secrets Scanning | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| schedule: | |
| - cron: '00 05 * * *' #daily scan at 05:00 AM | |
| jobs: | |
| Secrets-Scanning: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v2 | |
| - name: Install detect-secrets | |
| run: | | |
| sudo pip install detect-secrets | |
| - name: Run detect-secrets scan | |
| run: | | |
| detect-secrets -C ${{ github.workspace }} scan > detect-secrets_scan_output.json | |
| - name: Upload detect-secrets scan output | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: detect-secrets_results | |
| path: detect-secrets_scan_output.json | |
| - name: Install Whispers | |
| run: sudo pip install whispers | |
| # Scan repo for secrets | |
| - name: Run whispers scan for the repository | |
| run: | | |
| whispers -F '.*\.(log|raw|html)' ${{ github.workspace }} > Whispers_scan_output.json | |
| # Upload Artifacts | |
| - name: Upload whispers scan output | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: whispers_results | |
| path: Whispers_scan_output.json | |
| - name: Install trufflehog Secret Scanning | |
| run: | | |
| curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin | |
| - name: Secret Scanning | |
| run: | | |
| trufflehog filesystem ${{ github.workspace }} -j > trufflehog-result.json | |
| - name: Upload whispers scan output | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: trufflehog-result | |
| path: trufflehog-result.json |