Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(ci): add trufflehog secrets detection #745

Merged
merged 4 commits into from
Jun 10, 2024
Merged

feat(ci): add trufflehog secrets detection #745

merged 4 commits into from
Jun 10, 2024

Conversation

McPatate
Copy link
Member

What does this PR do?

Adding a GH action to scan for leaked secrets on each commit.

@McPatate McPatate requested a review from coyotte508 June 10, 2024 08:06
coyotte508
coyotte508 reviewed Jun 10, 2024
View reviewed changes
.github/workflows/trufflehog.yml Outdated
Comment on lines 12 to 13
with:
fetch-depth: 0
Copy link
Member

@coyotte508 coyotte508 Jun 10, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason to fetch the whole repo history?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No there isn't 😢

Wdyt of the code here: https://github.com/marketplace/actions/trufflehog-oss#shallow-cloning ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Though we could make it so it goes through the whole history if we wanted, cf the actions code: https://github.com/trufflesecurity/trufflehog/blob/3a029ea1932f93109bf9310607ed0f426483a891/action.yml

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shallow cloning sounds good!

About making it go through the whole history, pretty sure nothing's been merged with secrets ever, but we can run it once if we want (no need to run it every time)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just ran trufflehog on the repo and getting a few hf tokens and an AWS access/secret key that are unverified (so I assume rotated).

@coyotte508 coyotte508 merged commit 2302fbf into main Jun 10, 2024
5 checks passed
@coyotte508 coyotte508 deleted the feat/add_trufflehog_ci branch June 10, 2024 15:31
@coyotte508
Copy link
Member

Job seems to fail: https://github.com/huggingface/huggingface.js/actions/runs/9517113121/job/26234899723

@McPatate
Copy link
Member Author

Looks like you used a ' in your commit message and the script wasn't expecting it. Let me check if I can find a way to circumvent.

@McPatate McPatate mentioned this pull request Jun 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coyotte508 coyotte508 coyotte508 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@McPatate @coyotte508