From 1dc82a82ad2747478a5b0196b8cebf4c5a2351d3 Mon Sep 17 00:00:00 2001 From: Jeffrey Hung <17494876+Jeffreyhung@users.noreply.github.com> Date: Thu, 26 Sep 2024 13:07:26 +0200 Subject: [PATCH 1/3] send failed result to panther --- .github/workflows/secret-scan.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml index fe0584c..8aa7221 100644 --- a/.github/workflows/secret-scan.yml +++ b/.github/workflows/secret-scan.yml @@ -54,9 +54,20 @@ jobs: chmod +x /usr/local/bin/trufflehog - name: Run TruffleHog scan + id: scan run: | if [ -e .secret_scan_ignore ]; then trufflehog git file://. --only-verified --github-actions --fail --exclude-paths=.secret_scan_ignore --exclude-detectors="datadogtoken" else trufflehog git file://. --only-verified --github-actions --fail --exclude-detectors="datadogtoken" fi + - name: Send Alert to Panther + id: alert + if: steps.scan.outcome != 'success' + run: | + curl "${{vars.PANTHER_WEBHOOK_URL}}" \ + --header "Authorization: Bearer ${{ secrets.PANTHER_WEBHOOK_HEADER }}" \ + --data '{"event":"github_secret_scanning_failed", createdAt:"${{ github.event.pull_request.created_at }}", "repo":"${{ github.repository }}","pull_request":"https://github.com/${{ github.repository }}/pull/${{ github.event.pull_request.number }}>"","actor":"${{ github.event.pull_request.user.login }}"}' + - name: Fail workflow if secret detected + if: steps.scan.outcome != 'success' + run: exit 1 From 1bf6492a7f8a3c1e3ba3316e3078697dc0573615 Mon Sep 17 00:00:00 2001 From: Jeffrey Hung <17494876+Jeffreyhung@users.noreply.github.com> Date: Thu, 26 Sep 2024 13:15:58 +0200 Subject: [PATCH 2/3] rename variables --- .github/workflows/secret-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml index 8aa7221..beeedd4 100644 --- a/.github/workflows/secret-scan.yml +++ b/.github/workflows/secret-scan.yml @@ -65,8 +65,8 @@ jobs: id: alert if: steps.scan.outcome != 'success' run: | - curl "${{vars.PANTHER_WEBHOOK_URL}}" \ - --header "Authorization: Bearer ${{ secrets.PANTHER_WEBHOOK_HEADER }}" \ + curl "${{vars.SECRET_SCAN_PANTHER_WEBHOOK_URL}}" \ + --header "Authorization: Bearer ${{ secrets.SECRET_SCAN_PANTHER_WEBHOOK_HEADER }}" \ --data '{"event":"github_secret_scanning_failed", createdAt:"${{ github.event.pull_request.created_at }}", "repo":"${{ github.repository }}","pull_request":"https://github.com/${{ github.repository }}/pull/${{ github.event.pull_request.number }}>"","actor":"${{ github.event.pull_request.user.login }}"}' - name: Fail workflow if secret detected if: steps.scan.outcome != 'success' From cbbec00cfa746bbfeceda5dd59e6aaa944a9b2da Mon Sep 17 00:00:00 2001 From: Jeffrey Hung <17494876+Jeffreyhung@users.noreply.github.com> Date: Thu, 26 Sep 2024 13:16:14 +0200 Subject: [PATCH 3/3] remove unnecessary `<` --- .github/workflows/secret-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml index beeedd4..761b06f 100644 --- a/.github/workflows/secret-scan.yml +++ b/.github/workflows/secret-scan.yml @@ -67,7 +67,7 @@ jobs: run: | curl "${{vars.SECRET_SCAN_PANTHER_WEBHOOK_URL}}" \ --header "Authorization: Bearer ${{ secrets.SECRET_SCAN_PANTHER_WEBHOOK_HEADER }}" \ - --data '{"event":"github_secret_scanning_failed", createdAt:"${{ github.event.pull_request.created_at }}", "repo":"${{ github.repository }}","pull_request":"https://github.com/${{ github.repository }}/pull/${{ github.event.pull_request.number }}>"","actor":"${{ github.event.pull_request.user.login }}"}' + --data '{"event":"github_secret_scanning_failed", createdAt:"${{ github.event.pull_request.created_at }}", "repo":"${{ github.repository }}","pull_request":"https://github.com/${{ github.repository }}/pull/${{ github.event.pull_request.number }}"","actor":"${{ github.event.pull_request.user.login }}"}' - name: Fail workflow if secret detected if: steps.scan.outcome != 'success' run: exit 1