-
Notifications
You must be signed in to change notification settings - Fork 48
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Enabling trivy and trufflehog (#526)
- Loading branch information
1 parent
8bfabae
commit a38f20e
Showing
5 changed files
with
53 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| name: Trivy Security Scan | ||
| on: | ||
| push: | ||
| branches: | ||
| - '*' # Triggers on pushes to all branches | ||
| jobs: | ||
| trivy-secrets-scan: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
| - name: Scan for secrets in the repository | ||
| uses: aquasecurity/[email protected] | ||
| with: | ||
| scan-type: 'fs' # File system scan | ||
| trivy-config: .trivy/trivy.yaml # Path to the Trivy config file |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| name: Trufflehog Security Scan | ||
| on: | ||
| push: | ||
| branches: | ||
| - '*' # Triggers on pushes to all branches | ||
| jobs: | ||
| trufflehog-vulnerability-detection: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Secret Scanning | ||
| id: trufflehog_scan | ||
| uses: trufflesecurity/[email protected] | ||
| with: | ||
| path: ./ | ||
| base: "" # No specific base commit for comparison, scans the entire branch | ||
| head: ${{ github.ref_name }} # Current branch name | ||
| extra_args: --exclude-detectors uri --exclude-paths .trufflehog/.trufflehogignore.txt # Exclude the URI detector and specific files from scanning |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| secrets: | ||
| - id: private-key # Paste ID of the secret - https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go | ||
| paths: | ||
| - "generator/openssl/default.key" # Path to the file in repo that needs to ignored |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| scan: | ||
| scanners: | ||
| - secret | ||
| severity: | ||
| - UNKNOWN | ||
| - LOW | ||
| - MEDIUM | ||
| - HIGH | ||
| - CRITICAL | ||
| exit-code: 1 | ||
| ignorefile: .trivy/.trivyignore.yaml | ||
| debug: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| # Newline separated regexes for files or a path to specific file to exclude in scan | ||
| generator/openssl/default.key |