Skip to content

created a security scan for secrets #91

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Imambash6 wants to merge 12 commits into
base: main
Choose a base branch
from
Open

created a security scan for secrets #91

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
0d630b9
fix: upgrade lucide-react from 0.424.0 to 0.469.0
snyk-bot Jan 17, 2025
72d1bc8
Merge pull request #1 from Imambash6/snyk-upgrade-b15b8dea3dc3f11c971…
Imambash6 Feb 12, 2025
55d544f
Create workflows.yml
Imambash6 Feb 12, 2025
f2ebc73
fix: upgrade lucide-react from 0.469.0 to 0.474.0
snyk-bot Feb 14, 2025
e0b34f3
Merge pull request #2 from Imambash6/snyk-upgrade-8d6948bb7f9b12896d4…
Imambash6 Feb 14, 2025
474ec42
Merge branch 'tobySolutions:main' into main
Imambash6 Feb 14, 2025
efa1496
Create security-scan.yml
Imambash6 Feb 18, 2025
e67c72a
Delete .github/workflows.yml
Imambash6 Aug 10, 2025
2f502b4
Rename .github/security-scan.yml to .github/workflows/security-scan.yml
Imambash6 Aug 10, 2025
9b49eaf
Rename security-scan.yml to trufflehog.yml.yml
Imambash6 Aug 10, 2025
1f78573
Update trufflehog.yml.yml
Imambash6 Aug 10, 2025
fbd910e
Update trufflehog.yml.yml
Imambash6 Aug 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 78 additions & 0 deletions .github/workflows/trufflehog.yml.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
# Security scan for secrets using TruffleHog
name: TruffleHog

on:
push:
branches:
- main
pull_request:

permissions:
contents: read
id-token: write
issues: write
pull-requests: write

jobs:
trufflehog:
runs-on: ubuntu-latest
defaults:
run:
shell: bash
steps:
# 1. Checkout the code
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 0

# 2. Determine scan scope
- name: Set scan path
id: scan_path
run: |
if [ "${{ github.event_name }}" = "pull_request" ]; then
CHANGED_FILES=$(git diff --name-only origin/${{ github.event.repository.default_branch }} HEAD | tr '\n' ' ')
echo "PATHS=$CHANGED_FILES" >> $GITHUB_ENV
else
echo "PATHS=./" >> $GITHUB_ENV
fi

# 3. Run TruffleHog scan
- name: TruffleHog OSS
id: trufflehog
run: |
trufflesecurity/trufflehog@main \
--path "${{ env.PATHS }}" \
--base "${{ github.event.repository.default_branch }}" \
--head HEAD \
--json --debug > trufflehog.json

# 4. Post results to PR (only runs for pull requests)
- name: Post results to PR
if: github.event_name == 'pull_request'
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const fs = require('fs');
const results = fs.readFileSync('trufflehog.json', 'utf8').trim();
const body = results.length > 0
? `🔍 **TruffleHog scan results:**\n\`\`\`json\n${results}\n\`\`\``
: '✅ No secrets found by TruffleHog.';
await github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body
});

# 5. Fail the build if secrets were found
- name: Fail if secrets found
run: |
if [ -s trufflehog.json ]; then
echo "❌ Secrets found!"
cat trufflehog.json
exit 1
else
echo "✅ No secrets found."
fi
2 changes: 1 addition & 1 deletion packages/frontend/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@
"gsap": "^3.12.5",
"lenis": "^1.1.16",
"livepeer": "^3.4.0",
"lucide-react": "^0.424.0",
"lucide-react": "^0.474.0",
"react": "^18.3.1",
"react-animated-cursor": "^2.11.2",
"react-calendar": "^5.1.0",
Expand Down