@@ -3,17 +3,17 @@ name: Static Analysis - Advanced Secret Scan
33
44# When this workflow triggers
55on :
6- # Allows you to run this workflow manually from the Actions tab
7- workflow_dispatch :
6+ # Allows you to run this workflow manually from the Actions tab
7+ workflow_dispatch :
88
9- # Allow this workflow to be called from another workflow
10- workflow_call :
9+ # Allow this workflow to be called from another workflow
10+ workflow_call :
1111
12- # Run the unit tests on every change
13- push :
14- branches : [ main ]
15- pull_request :
16- branches : [ main ]
12+ # Run the unit tests on every change
13+ push :
14+ branches : [main]
15+ pull_request :
16+ branches : [main]
1717
1818# Define each session of execution that should be executed
1919jobs :
@@ -24,10 +24,60 @@ jobs:
2424 # Operating system filter for the runners
2525 runs-on : ubuntu-latest
2626
27+ # Sets the scopes available to the github_token injected to the GH Actions runner
28+ permissions :
29+ contents : read
30+
2731 steps :
28- # Checks-out your repository under $GITHUB_WORKSPACE
29- - name : Clone Repo
30- uses : actions/checkout@v4
32+ # Calculate the depth and branch for checkout optimization
33+ - name : Calculate Checkout Depth and Branch
34+ shell : bash
35+ env :
36+ # Untrusted inputs passed via env (no use inside the run script of ${{ }}).
37+ UNTRUST_PR_REF : ${{ github.event.pull_request.head.ref }}
38+ UNTRUST_PR_COMMITS_COUNT : ${{ github.event.pull_request.commits }}
39+ UNTRUST_PUSH_COMMIT_LIST_JSON : ${{ toJson(github.event.commits) }}
40+ run : |
41+ # Exit on error (-e), treat unset variables as errors (-u), and fail on pipeline errors (-o pipefail)
42+ set -euo pipefail
43+
44+ # If this run was triggered by a push event
45+ if [ "$GITHUB_EVENT_NAME" = "push" ]; then
46+ # Count how many commits are in the push event using jq (a JSON parser)
47+ raw_depth=$(printf '%s' "$UNTRUST_PUSH_COMMIT_LIST_JSON" | jq 'length')
48+ # Make sure the depth is a valid number; if not, default to 0
49+ if ! [[ "$raw_depth" =~ ^[0-9]+$ ]]; then raw_depth=0; fi
50+ # Add a small buffer (+2) so we have enough history for scanning
51+ depth=$(( raw_depth + 2 ))
52+ # Save the computed depth into the GitHub Actions environment for later steps
53+ printf 'depth=%s\n' "$depth" | tr -d '\n\r' >> "$GITHUB_ENV"
54+ # Use the branch name from the push event, cleaned of any stray characters
55+ safe_branch=$(printf '%s' "$GITHUB_REF_NAME" | tr -d '\n\r')
56+ # Save the branch name into the environment for later steps
57+ printf 'branch=%s\n' "$safe_branch" >> "$GITHUB_ENV"
58+ elif [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then
59+ # Read the number of commits in the PR; default to 0 if missing
60+ pr_commits="${UNTRUST_PR_COMMITS_COUNT:-0}"
61+ # Validate that the commit count is a number; if not, set to 0
62+ if ! [[ "$pr_commits" =~ ^[0-9]+$ ]]; then pr_commits=0; fi
63+ # Add a small buffer (+2) so we have enough history for scanning
64+ depth=$(( pr_commits + 2 ))
65+ # Use the incoming PR branch name, cleaned of any stray characters
66+ safe_branch=$(printf '%s' "$UNTRUST_PR_REF" | tr -d '\n\r')
67+ # Save the computed depth into the environment for later steps
68+ printf 'depth=%s\n' "$depth" | tr -d '\n\r' >> "$GITHUB_ENV"
69+ # Save the branch name into the environment for later steps
70+ printf 'branch=%s\n' "$safe_branch" >> "$GITHUB_ENV"
71+ fi
72+
73+ # Downloads the repo at the specified depth calculated previously
74+ - uses : actions/checkout@v5
75+ with :
76+ ref : ${{env.branch}}
77+ fetch-depth : ${{env.depth}}
3178
32- - name : Scan for Secrets
33- uses : trufflesecurity/trufflehog@main
79+ # Run TruffleHog Scan against the downloaded repo
80+ - name : Scan for Secrets
81+ uses : trufflesecurity/trufflehog@0f58ae7c5036094a1e3e750d18772af92821b503
82+ with :
83+ extra_args : --results=verified,unknown
0 commit comments