diff --git a/.github/workflows/PrBot.yml b/.github/workflows/PrBot.yml index 9fda3a9..94c95c5 100644 --- a/.github/workflows/PrBot.yml +++ b/.github/workflows/PrBot.yml @@ -50,4 +50,53 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + secret_scan: + name: Running Comprehensive Secret Scan + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Install TruffleHog using pip + run: | + pip install truffleHog + + - name: Run TruffleHog Scan (pip) + run: | + trufflehog --regex --entropy=False ${GITHUB_HEAD_REF} --json > trufflehog_pip_scan.json + + - name: Run TruffleHog Enterprise Scan + uses: trufflesecurity/TruffleHog-Enterprise-Github-Action@main + with: + args: --fail-verified ${{ github.event.repository.default_branch }} HEAD --json > trufflehog_action_scan.json + + - name: Install Gitleaks + run: | + curl -sSL https://github.com/zricethezav/gitleaks/releases/latest/download/gitleaks-linux-amd64.tar.gz | tar -xz -C /usr/local/bin + chmod +x /usr/local/bin/gitleaks + + - name: Run Gitleaks Scan + run: | + gitleaks detect --source . --report-format json --report-path gitleaks_scan.json + + - name: Combine Scan Results + run: | + echo "Combining scan results into a single file." + echo "[" > combined_scan_results.json + cat trufflehog_pip_scan.json >> combined_scan_results.json + echo "," >> combined_scan_results.json + cat trufflehog_action_scan.json >> combined_scan_results.json + echo "," >> combined_scan_results.json + cat gitleaks_scan.json >> combined_scan_results.json + echo "]" >> combined_scan_results.json + echo "Scan results combined into combined_scan_results.json" + + - name: Upload Scan Results + uses: actions/upload-artifact@v2 + with: + name: combined-scan-results + path: combined_scan_results.json