Coder Social home page Coder Social logo

godaddy / tartufo-action Goto Github PK

View Code? Open in Web Editor NEW
9.0 8.0 6.0 31 KB

Searches through git repositories for high entropy strings and secrets, digging deep into commit history

Home Page: https://tartufo.readthedocs.io/

License: MIT License

Dockerfile 12.26% Python 87.74%
security git entropy secrets secrets-scan security-scanner security-tools actions github-actions

tartufo-action's Introduction

tartufo-action

This GitHub Action scans your repository for secrets using tartufo.

The target repository should be checked out before invoking this action. The tartufo.toml file in the checked out branch will be used as the configuration.

Inputs

entropy

Optional Enable entropy checks. Default "true".

regex

Optional Enable regex checks. Default "true".

scan-filenames

Optional Enable filename checks. Default "true".

output-format

Optional The format in which the output is generated. Default "text".

entropy-sensitivity

Optional Modify entropy detection sensitivity. Default "75".

branch

Optional Scan only the specified branch. By default, all branches in the repository are scanned.

include-submodule

Optional Scan git submodules. Default "false".

Example usage

uses: godaddy/tartufo-action@v1

tartufo-action's People

Contributors

agerard-godaddy avatar dcousineau avatar emayuri-godaddy avatar mayuriesha avatar rbailey-godaddy avatar renovate[bot] avatar smimani-godaddy avatar sushantmimani avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

smimani-godaddy nsmith3-godaddy sushantmimani stack888 sonkenbun2 n4st0r

tartufo-action's Issues

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

dockerfile
Dockerfile
  • godaddy/tartufo 4.1.0
  • Check this box to trigger a request for Renovate to run again on this repository

It seems to be not detecting secrets in the scan. it always passes

I added the action as following in one of our repos:

# Workflow to run tartufo scan for PR

name: Tartufo

on:
  push:
    branches:
    - '*'

jobs:
  tartufo-scan:
    name: Tartufo Scan
    # No need to self-hosted runner, since this is purely looking at the Git repo that's already pushed
    runs-on: [self-hosted, pep-ci]
    steps:
      - name: Checkout
        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
        with:
          fetch-depth: 0

      - name: Perform Scan
        uses: godaddy/tartufo-action@7e34fe798485a138ba59ecf533f5a5dd790351bb # v3.2.0
        with:
          entropy-sensitivity: 100

To verify if it detects secrets correctly or not, I added the following line in the readme:

the password is 7e84fe798485a138ba59ecf533f5a5dd790351bb

while locally it reports a problem, on github the action runs to completion without showing any error.

Problem running tartufo on my local macbook after the upgrade 

tartufo --config ./tartofu.toml scan-local-repo --branch dev .
Traceback (most recent call last):
 File "/usr/local/bin/tartufo", line 8, in <module>
  sys.exit(main())
 File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1130, in __call__
  return self.main(*args, **kwargs)
 File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1055, in main
  rv = self.invoke(ctx)
 File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1657, in invoke
  return _process_result(sub_ctx.command.invoke(sub_ctx))
 File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1404, in invoke
  return ctx.invoke(self.callback, **ctx.params)
 File "/usr/local/lib/python3.9/site-packages/click/core.py", line 760, in invoke
  return __callback(*args, **kwargs)
 File "/usr/local/lib/python3.9/site-packages/click/decorators.py", line 38, in new_func
  return f(get_current_context().obj, *args, **kwargs)
 File "/usr/local/lib/python3.9/site-packages/click/decorators.py", line 26, in new_func
  return f(get_current_context(), *args, **kwargs)
 File "/usr/local/lib/python3.9/site-packages/tartufo/commands/scan_local_repo.py", line 51, in main
  util.process_issues(repo_path, scanner, options)
 File "/usr/local/lib/python3.9/site-packages/tartufo/util.py", line 253, in process_issues
  echo_result(options, scan, repo_path, output_dir)
 File "/usr/local/lib/python3.9/site-packages/tartufo/util.py", line 104, in echo_result
  for issue in scanner.scan():
 File "/usr/local/lib/python3.9/site-packages/tartufo/scanner.py", line 578, in scan
  for issue in self.scan_entropy(chunk):
 File "/usr/local/lib/python3.9/site-packages/tartufo/scanner.py", line 601, in scan_entropy
  yield from self.evaluate_entropy_string(
 File "/usr/local/lib/python3.9/site-packages/tartufo/scanner.py", line 623, in evaluate_entropy_string
  if self.entropy_string_is_excluded(string, line, chunk.file_path):
 File "/usr/local/lib/python3.9/site-packages/tartufo/scanner.py", line 468, in entropy_string_is_excluded
  return bool(self.excluded_entropy) and any(
 File "/usr/local/lib/python3.9/site-packages/tartufo/scanner.py", line 286, in excluded_entropy
  self._excluded_entropy = config.compile_rules(patterns) if patterns else []
 File "/usr/local/lib/python3.9/site-packages/tartufo/config.py", line 287, in compile_rules
  match_type = MatchType(pattern.get("match-type", MatchType.Search.value))
AttributeError: 'String' object has no attribute 'get'

If I remove config, tartufo.toml isnt detected

[tool.tartufo]
repo-path = "."
json = false
regex = true
entropy = true
exclude-signatures = []
exclude-path-patterns = [
{ path-pattern = 'go.sum', reason = 'Module hashes' },
{ path-pattern = 'tartufo.toml', reason = 'This file' },
{ path-pattern = 'Dockerfile', reason = 'GITHUB_TOKEN url' },
{ path-pattern = 'Makefile', reason = 'GITHUB_TOKEN url' },
{ path-pattern = 'deployments/', reason = 'This file' },
{ path-pattern = 'swagger-ui/', reason = 'This file' },
{ path-pattern = 'config./', reason = 'This file' },
{ path-pattern = ".github/workflows/build-deploy.yaml", reason = 'This file' },
{ path-pattern = ".github/workflows/create-runners.yaml", reason = 'This file' },
{ path-pattern = ".github/workflows/delete-runners.yaml", reason = 'This file' },
{ path-pattern = ".github/workflows/golang.yaml", reason = 'This file' },
]
exclude-entropy-patterns = [
".github/workflows/..yaml::^[a-zA-Z0-9]{40}$", # git SHAs in GH workflows
".github/actions/./action.yaml::^[a-zA-Z0-9]{40}$",
]

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.