-
Notifications
You must be signed in to change notification settings - Fork 415
46 lines (36 loc) · 1.53 KB
/
scan-with-trufflehog.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# Name of this GitHub Actions workflow.
name: Scan Application Code with Trufflehog OSS
on:
# Trigger the workflow on the following events:
# Scan changed files in Pull Requests (diff-aware scanning).
pull_request: {}
# Trigger the workflow on-demand through the GitHub Actions interface.
workflow_dispatch: {}
# Scan mainline branches (main and development) and report all findings.
push:
branches: ["development"]
jobs:
trufflehog:
# User definable name of this GitHub Actions job.
name: Scan Application Code with Trufflehog OSS
# Specify the runner environment. Use the latest version of Ubuntu.
runs-on: ubuntu-latest
# Define permissions for specific GitHub Actions.
permissions:
actions: read # Permission to read GitHub Actions.
contents: read # Permission to read repository contents.
security-events: write # Permission to write security events.
# Skip any Pull Request created by the Dependabot to avoid permission issues.
if: (github.actor != 'dependabot[bot]')
steps:
- name: Checkout code
uses: actions/checkout@main
with:
fetch-depth: 0
# Step: Checkout code
# Action to check out the code from the repository.
# This step fetches the codebase from the GitHub repository.
- name: TruffleHog Enterprise scan
uses: trufflesecurity/TruffleHog-Enterprise-Github-Action@main
with:
args: --fail-verified ${{ github.event.repository.default_branch }} HEAD