.github/workflows/secrets-detection-push.yaml

name: Secrets detection in commits pushed to default branch

on:
  repository_dispatch:
    types: [secrets_detection_in_default_branch]

jobs:
  review-received-event:
    if: ${{ github.event.client_payload.event.commits && (github.event.client_payload.event.ref == format('{0}{1}', 'refs/heads/', github.event.client_payload.event.repository.default_branch)) }}
    continue-on-error: true
    runs-on: ubuntu-latest
    outputs:
      ALL_COMMITS: ${{ steps.get-all-commits.outputs.all_commits_in_push || '[]' }}
    steps:
      - name: Display information about push
        id: display-information-about-push
        run: |
          echo "Repository to scan: ${{ github.event.client_payload.event.repository.name }}"
          echo "Pusher: ${{ github.event.client_payload.event.pusher.name }}"
      - name: Get commits from the event
        id: get-all-commits
        env:
          ORG_TOKEN: ${{ secrets.ORG_TOKEN }}
        run: |
          NUMBER_OF_COMMITS_IN_PUSH_EVENT=$(jq -c -r '.commits | length' <<< '${{ toJson(github.event.client_payload.event) }}')

          all_commits_in_push=$(jq -c -r '.commits' <<< '${{ toJson(github.event.client_payload.event) }}')
          echo "all_commits_in_push=$all_commits_in_push" >> $GITHUB_OUTPUT

          echo "Commits found in the push event:"
          echo "$NUMBER_OF_COMMITS_IN_PUSH_EVENT"

          # This logic is commented out because GitHub said that there should be no limit on the number of commits in a push event
          # if [ $NUMBER_OF_COMMITS_IN_PUSH_EVENT -lt 20 ]; then
          #   IMPORTANT: REMOVE ESCAPE CHARACTERS IF UNCOMMENTING THIS CODE
          #   all_commits_in_push=$(jq -c -r '.commits' <<< '$\{\{ toJson(github.event.client_payload.event) \}\}')
          #   echo "all_commits_in_push=$all_commits_in_push" >> $GITHUB_OUTPUT

          #   echo "Commits found in the push event:"
          #   echo "$NUMBER_OF_COMMITS_IN_PUSH_EVENT"
          # else
          #   IMPORTANT: REMOVE ESCAPE CHARACTERS IF UNCOMMENTING THIS CODE
          #   COMPARE_URL="https://api.github.com/repos/$\{\{ github.event.client_payload.event.repository.owner \}\}/$\{\{ github.event.client_payload.event.repository.name \}\}/compare/$\{\{ github.event.client_payload.event.before \}\}...$\{\{ github.event.client_payload.event.after \}\}"
          #   echo "Compare URL: $COMPARE_URL"
          #   PAGE=1
          #   ALL_COMMITS="[]"
          #   while true
          #   do
          #     RESPONSE=$(curl -H "Authorization: token $ORG_TOKEN" -H "Accept: application/vnd.github+json" -s "$COMPARE_URL?per_page=100&page=$PAGE")
          #     COMMITS_ON_PAGE=$(echo "$RESPONSE" | jq -c -r '.commits')
          #     NB_COMMITS_ON_PAGE=$(echo "$COMMITS_ON_PAGE" | jq -c -r 'length')
          #     if [ $NB_COMMITS_ON_PAGE -eq 0 ]; then
          #       break
          #     fi
          #     ALL_COMMITS=$(jq -c -s '.[0] + .[1]' <<< "$ALL_COMMITS $COMMITS_ON_PAGE")
          #     if [ $NB_COMMITS_ON_PAGE -lt 100 ]; then
          #       break
          #     fi
          #     PAGE=$((PAGE+1))
          #   done
          #   ALL_COMMITS=$(jq -c '[.[] | .id = .sha | del(.sha) | .author = .author.login | .timestamp = .commit.author.date | { id, url, timestamp, author } ]' <<< "$ALL_COMMITS")
          #   echo "all_commits_in_push=$ALL_COMMITS" >> $GITHUB_OUTPUT
          # fi
      - name: Display information about commits
        id: display-information-about-commits
        run: |
          NUMBER_OF_COMMITS=$(echo '${{ steps.get-all-commits.outputs.all_commits_in_push || '[]' }}' | jq '. | length')
          COMMITS=$(echo '${{ steps.get-all-commits.outputs.all_commits_in_push || '[]' }}' | jq -c '[.[] | .id]')
          echo "Number of commits to scan: $NUMBER_OF_COMMITS"
          echo "Commits to scan: $COMMITS"

  secrets-detection:
    needs: review-received-event
    if: ${{ github.event.client_payload.event.commits && (github.event.client_payload.event.ref == format('{0}{1}', 'refs/heads/', github.event.client_payload.event.repository.default_branch)) }}
    continue-on-error: true
    runs-on: ubuntu-latest
    strategy:
      max-parallel: 3
      matrix:
        commit: ${{ fromJson(needs.review-received-event.outputs.ALL_COMMITS) }}
      fail-fast: false
    steps:
      - name: Set environment variables
        id: set-environment-variables
        run: |
          SCAN_UUID=$(uuidgen -r | tr '[:upper:]' '[:lower:]')
          REPOSITORY_SCAN_UUID=$(uuidgen -r | tr '[:upper:]' '[:lower:]')
          echo "SCAN_UUID=$SCAN_UUID" >> "$GITHUB_ENV"
          echo "REPOSITORY_SCAN_UUID=$REPOSITORY_SCAN_UUID" >> "$GITHUB_ENV"
          echo "SCAN_REPORT_FILE=$SCAN_UUID.json" >> "$GITHUB_ENV"

      - name: Checkout scanning repository
        id: checkout-scanning-repository
        uses: actions/checkout@v4
        with:
          path: scanning-repository

      - name: Checkout repository
        id: checkout-repository
        uses: actions/checkout@v4
        with:
          repository: ${{ github.event.client_payload.event.repository.full_name }}
          token: ${{ secrets.ORG_TOKEN }}
          ref: ${{ matrix.commit.id }}
          path: repository

      - name: Check for custom detectors config file
        id: check-config
        continue-on-error: true
        if: ${{ vars.CUSTOM_DETECTORS_CONFIG_FILE != '' }}
        run: |
          custom_detectors_config_file_full_path="${GITHUB_WORKSPACE}/scanning-repository/${{ vars.CUSTOM_DETECTORS_CONFIG_FILE }}"
          if [ -f "$custom_detectors_config_file_full_path" ]; then
            echo "Custom detectors config file found: $custom_detectors_config_file_full_path"
            echo "custom_config=$custom_detectors_config_file_full_path" >> $GITHUB_OUTPUT
          else
            echo "Custom detectors config file not found. Using default configuration."
            echo "custom_config=" >> $GITHUB_OUTPUT
          fi

      - name: Perform secrets detection
        id: scan
        timeout-minutes: ${{ vars.SCAN_TIMEOUT_MINUTES || 15 }}
        continue-on-error: true
        working-directory: "${{ github.workspace }}/repository"
        run: |
          set +e
          start=$(date -u +"%Y-%m-%dT%H:%M:%S.%6N")
          if [ -n "${{ steps.check-config.outputs.custom_config }}" ]; then
            docker run --name secrets-finder -v "$(pwd):/repository" -v "${{ steps.check-config.outputs.custom_config }}:/configuration.yaml" -i ghcr.io/trufflesecurity/trufflehog@sha256:62d6e889cc2f647321617dcd9142b23f5ee7a577754c9dce3f453263e333de01 git file:///repository --fail --json --no-update --config=/configuration.yaml $(if [ "${{ vars.REPORT_ONLY_VERIFIED_SECRETS }}" = "true" ]; then echo "--only-verified"; fi); exit_code=$?
          else
            docker run --name secrets-finder -v "$(pwd):/repository" -i ghcr.io/trufflesecurity/trufflehog@sha256:62d6e889cc2f647321617dcd9142b23f5ee7a577754c9dce3f453263e333de01 git file:///repository --fail --json --no-update $(if [ "${{ vars.REPORT_ONLY_VERIFIED_SECRETS }}" = "true" ]; then echo "--only-verified"; fi); exit_code=$?
          fi
          end=$(date -u +"%Y-%m-%dT%H:%M:%S.%6N")

          echo "exit_code=$exit_code" >> $GITHUB_OUTPUT
          echo "start=$start" >> $GITHUB_OUTPUT
          echo "end=$end" >> $GITHUB_OUTPUT

          exit $exit_code

      - name: Retrieve logs from container
        id: retrieve-logs-container
        continue-on-error: true
        if: ${{ always() && steps.scan.outcome == 'failure' }}
        run: |
          docker logs secrets-finder | jq -s '[.[] | select(has("SourceMetadata"))] | unique' > $SCAN_REPORT_FILE
          FOUND_SECRETS=$(jq 'length > 0' $SCAN_REPORT_FILE)
          echo "found_secrets=$FOUND_SECRETS" >> $GITHUB_OUTPUT

      - name: Remove container
        id: remove-container
        continue-on-error: true
        run: |
          docker rm secrets-finder
          docker images | grep ghcr.io/trufflesecurity/trufflehog | awk '{print $3}' | xargs docker rmi

      - name: Display findings
        id: display-findings
        if: ${{ always() && steps.scan.outcome == 'failure' && steps.retrieve-logs-container.outputs.found_secrets == 'true' && vars.DEBUG == 'true' }}
        continue-on-error: true
        run: cat $SCAN_REPORT_FILE

      - name: Generate list of findings per committer
        id: generate-findings-per-committer
        if: ${{ always() && steps.scan.outcome == 'failure' && steps.retrieve-logs-container.outputs.found_secrets == 'true' }}
        continue-on-error: true
        run: |
          LIST_OF_FINDINGS=$(cat $SCAN_REPORT_FILE | jq '.')
          echo '{}' | jq -c --argjson list_of_findings "$LIST_OF_FINDINGS" '{"${{ matrix.commit.author }}": { "${{ matrix.commit.id }}": $list_of_findings }}' > "findings-${{ matrix.commit.id }}.json"

      - name: Upload updated list of findings per committer
        if: ${{ always() && steps.scan.outcome == 'failure' && steps.generate-findings-per-committer.outcome == 'success' && steps.retrieve-logs-container.outputs.found_secrets == 'true' }}
        continue-on-error: true
        uses: actions/upload-artifact@v4
        with:
          name: findings-${{ matrix.commit.id }}
          path: findings-${{ matrix.commit.id }}.json

      - name: Generate final report
        id: generate-final-report
        if: ${{ always() }}
        run: |
          TMP_FILE=$(mktemp)

          if [[ "${{ steps.scan.outcome }}" == "skipped" ]] || [[ "${{ steps.retrieve-logs-container.outcome }}" == "failure" ]]; then
            jq -n '{ "scan_type": "prevention", "start": "${{ steps.scan.outputs.start || 'N/A' }}", "end": "${{ steps.scan.outputs.end || 'N/A' }}", "status": "failure", "scan_mode": "${{ vars.REPORT_ONLY_VERIFIED_SECRETS == 'true' && 'verified' || 'all' }}", "scan_context": "commit", "scan_uuid": "${{ env.SCAN_UUID }}", "scan_identifier": "github_secrets_finder", "scm": "github", "results": [{ "scan_uuid": "${{ env.REPOSITORY_SCAN_UUID }}", "start": "${{ steps.scan.outputs.start || 'N/A' }}", "end": "${{ steps.scan.outputs.end || 'N/A' }}", "organization": "${{ github.event.client_payload.event.repository.owner }}", "repository": "${{ github.event.client_payload.event.repository.name }}", "status": "failure", "metadata": { "identifier": "${{ matrix.commit.id }}", "created_at": "${{ matrix.commit.timestamp }}" }, "findings": [] }] }' > "$TMP_FILE"
          else
            if [[ "${{ steps.scan.outcome }}" == "failure" ]]; then
              if [[ "${{ steps.scan.outputs.exit_code }}" == "183" ]]; then
                cat $SCAN_REPORT_FILE | jq -c '{ "scan_type": "prevention", "start": "${{ steps.scan.outputs.start }}", "end": "${{ steps.scan.outputs.end }}", "status": "success", "scan_mode": "${{ vars.REPORT_ONLY_VERIFIED_SECRETS == 'true' && 'verified' || 'all' }}", "scan_context": "commit", "scan_uuid": "${{ env.SCAN_UUID }}", "scan_identifier": "github_secrets_finder", "scm": "github", "results": [{ "scan_uuid": "${{ env.REPOSITORY_SCAN_UUID }}", "start": "${{ steps.scan.outputs.start || 'N/A' }}", "end": "${{ steps.scan.outputs.end || 'N/A' }}", "organization": "${{ github.event.client_payload.event.repository.owner }}", "repository": "${{ github.event.client_payload.event.repository.name }}", "status": "success", "metadata": { "identifier": "${{ matrix.commit.id }}", "created_at": "${{ matrix.commit.timestamp }}" }, "findings": . }] }' > "$TMP_FILE"
              else
                jq -n '{ "scan_type": "prevention", "start": "${{ steps.scan.outputs.start || 'N/A' }}", "end": "${{ steps.scan.outputs.end || 'N/A' }}", "status": "failure", "scan_mode": "${{ vars.REPORT_ONLY_VERIFIED_SECRETS == 'true' && 'verified' || 'all' }}", "scan_context": "commit", "scan_uuid": "${{ env.SCAN_UUID }}", "scan_identifier": "github_secrets_finder", "scm": "github", "results": [{ "scan_uuid": "${{ env.REPOSITORY_SCAN_UUID }}", "start": "${{ steps.scan.outputs.start || 'N/A' }}", "end": "${{ steps.scan.outputs.end || 'N/A' }}", "organization": "${{ github.event.client_payload.event.repository.owner }}", "repository": "${{ github.event.client_payload.event.repository.name }}", "status": "failure", "metadata": { "identifier": "${{ matrix.commit.id }}", "created_at": "${{ matrix.commit.timestamp }}" }, "findings": [] }] }' > "$TMP_FILE"
              fi
            else
              jq -n '{ "scan_type": "prevention", "start": "${{ steps.scan.outputs.start }}", "end": "${{ steps.scan.outputs.end }}", "status": "success", "scan_mode": "${{ vars.REPORT_ONLY_VERIFIED_SECRETS == 'true' && 'verified' || 'all' }}", "scan_context": "commit", "scan_uuid": "${{ env.SCAN_UUID }}", "scan_identifier": "github_secrets_finder", "scm": "github", "results": [{ "scan_uuid": "${{ env.REPOSITORY_SCAN_UUID }}", "start": "${{ steps.scan.outputs.start || 'N/A' }}", "end": "${{ steps.scan.outputs.end || 'N/A' }}", "organization": "${{ github.event.client_payload.event.repository.owner }}", "repository": "${{ github.event.client_payload.event.repository.name }}", "status": "success", "metadata": { "identifier": "${{ matrix.commit.id }}", "created_at": "${{ matrix.commit.timestamp }}" }, "findings": [] }] }' > "$TMP_FILE"
            fi
          fi

          mv "$TMP_FILE" "$SCAN_REPORT_FILE"

      - name: Configure AWS credentials
        id: configure-aws-credentials
        if: ${{ always() }}
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ vars.AWS_REGION }}
          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
          role-session-name: SecretsFinderOngoingScanGitHub
          role-skip-session-tagging: true
          role-duration-seconds: 3600

      - name: Send findings to S3 bucket
        id: send-findings-to-s3-bucket
        if: ${{ always() && steps.configure-aws-credentials.outcome == 'success' }}
        run: |
          aws s3 cp $SCAN_REPORT_FILE s3://${{ vars.AWS_S3_BUCKET_NAME }}/secrets-finder/ongoing-scans/results/

  change-repo-visibility-if-secrets-found:
    needs: secrets-detection
    runs-on: ubuntu-latest
    if: ${{ always() && vars.HIDE_PUBLIC_REPOSITORIES_IF_SECRETS_FOUND == 'true' && github.event.client_payload.event.repository.visibility == 'public' }}
    steps:
      - name: Download list of findings per committer
        id: download-list-of-findings-per-committer
        uses: actions/download-artifact@v4
        with:
          path: /home/runner/work/all-findings

      - name: Change repository visibility (if needed)
        id: change-repo-visibility
        continue-on-error: true
        run: |
          if [ -d "/home/runner/work/all-findings" ]; then
            echo "Findings found. Changing repository visibility to private."
            curl -X PATCH -H "Authorization: token ${{ secrets.ORG_TOKEN }}" -H "Accept: application/vnd.github.nebula-preview+json" https://api.github.com/repos/${{ github.event.client_payload.event.repository.full_name }} -d '{"visibility": "private"}' &>/dev/null
          else
            echo "No findings found. Repository visibility will not be changed."
          fi

  manage-list-of-findings-per-committer:
    needs: [secrets-detection, change-repo-visibility-if-secrets-found]
    if: ${{ always() && (needs.change-repo-visibility-if-secrets-found.result == 'success' || github.event.client_payload.event.repository.visibility != 'public') }}
    runs-on: ubuntu-latest
    steps:
      - name: Download list of findings per committer
        id: download-list-of-findings-per-committer
        uses: actions/download-artifact@v4
        with:
          path: /home/runner/work/all-findings

      - name: Aggregate findings (if any)
        id: aggregate-findings
        run: |
          if [ ! -d "/home/runner/work/all-findings" ]; then
            exit 1
          fi

          cd /home/runner/work/all-findings
          find . -type f -exec cp {} . \;
          jq -s 'reduce .[] as $item ({}; . * $item)' findings-*.json > findings-per-committer.json

      - name: Checkout scanning repository
        id: checkout-scanning-repository
        if: ${{ always() && steps.aggregate-findings.outcome == 'success' }}
        uses: actions/checkout@v4

      - name: Create issues for each committer
        id: create-issues-for-each-committer
        if: ${{ always() && steps.aggregate-findings.outcome == 'success' }}
        uses: actions/github-script@v7
        with:
          github-token: ${{ secrets.ORG_TOKEN }}
          retries: 3
          script: |
            const fs = require('fs');
            const path = require('path');

            const create_issues = require(path.join(process.env.GITHUB_WORKSPACE, '.github', 'workflows', 'github-issues.js'));

            const github_context = { api: github.rest, server_url: "${{ github.server_url }}", scanned_repository_name: "${{ github.event.client_payload.event.repository.name }}", scanned_repository_owner: "${{ github.event.client_payload.event.repository.owner }}", secrets_finder_repository: "${{ github.repository }}", run_id: "${{ github.run_id }}" };
            const FINDINGS_PER_COMMITTER_FILE_CONTENT = fs.readFileSync('/home/runner/work/all-findings/findings-per-committer.json');
            const FINDINGS_PER_COMMITTER = JSON.parse(FINDINGS_PER_COMMITTER_FILE_CONTENT);

            await create_issues(github_context, FINDINGS_PER_COMMITTER);