Trufflehog now provides their own action. Usage and more information in their README.
Scan your repo for secrets. AWS tokens, keys, this has you covered.
This is a fork of max/secret-scan with an additional option to ignore patterns defined in a JSON file.
For more information about path filtering and allowed patterns, please refer to the truffleHog documentation.
on: push
name: Find Secrets
jobs:
main:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: channelbeta/secret-scan@2.1.6Use path filters to manage the set of objects that will be scanned.
on: push
name: Find Secrets
jobs:
main:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: channelbeta/secret-scan@2.1.6
with:
include_path: '<path-to>/include_paths.txt'
exclude_path: '<path-to>/exclude_paths.txt'Sample path filter file:
^\.github\/
^\.terraform\.lock\.hcl$
.*\.jmx$
Use a JSON file to allow patterns (including regex) that shouldn't trigger a warning.
on: push
name: Find Secrets
jobs:
main:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: channelbeta/secret-scan@2.1.6
with:
allowed_patterns: '<path-to>/allowed_patterns.json'Sample allowed patterns JSON:
{
"descriptive name": "-----BEGIN EC PRIVATE KEY-----\nfoobar123\n-----END EC PRIVATE KEY-----",
"git cherry pick SHAs": "regex:Cherry picked from .*"
}