From 98ced2527e954725fe0887329e0de24b9350ba1f Mon Sep 17 00:00:00 2001
From: Jeffrey Hung <17494876+Jeffreyhung@users.noreply.github.com>
Date: Thu, 26 Sep 2024 15:36:03 +0200
Subject: [PATCH] feat(secret-scanning): Forward alerts to Panther (#142)

* send failed result to panther

* rename variables

* remove unnecessary `<`
---
 .github/workflows/secret-scan.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
index fe0584c..761b06f 100644
--- a/.github/workflows/secret-scan.yml
+++ b/.github/workflows/secret-scan.yml
@@ -54,9 +54,20 @@ jobs:
           chmod +x /usr/local/bin/trufflehog
 
       - name: Run TruffleHog scan
+        id: scan
         run: |
           if [ -e .secret_scan_ignore ]; then
             trufflehog git file://. --only-verified --github-actions --fail --exclude-paths=.secret_scan_ignore --exclude-detectors="datadogtoken"
           else
             trufflehog git file://. --only-verified --github-actions --fail --exclude-detectors="datadogtoken"
           fi
+      - name: Send Alert to Panther
+        id: alert
+        if: steps.scan.outcome != 'success'
+        run: |
+          curl "${{vars.SECRET_SCAN_PANTHER_WEBHOOK_URL}}" \
+            --header "Authorization: Bearer ${{ secrets.SECRET_SCAN_PANTHER_WEBHOOK_HEADER }}" \
+            --data '{"event":"github_secret_scanning_failed", createdAt:"${{ github.event.pull_request.created_at }}", "repo":"${{ github.repository }}","pull_request":"https://github.com/${{ github.repository }}/pull/${{ github.event.pull_request.number }}"","actor":"${{ github.event.pull_request.user.login }}"}'
+      - name: Fail workflow if secret detected
+        if: steps.scan.outcome != 'success'
+        run: exit 1