feat: add secret-scan and trufflehog-scan actions#30
Open
Conversation
Extracts the secret_scanner and trufflehog-package-analysis jobs from the flutter-security-checks workflow into reusable composite actions.
Docker-based trufflesecurity/trufflehog@main fails on k8s runners because the workspace volume mount is not accessible inside the container. Install the binary directly and run it via a shell script.
/usr/local/bin is not writable on the k8s self-hosted runner. RUNNER_TEMP is always writable; adding it to GITHUB_PATH makes trufflehog available in subsequent steps.
The Docker mounting works fine on the k8s runner. The actual failure was a git safe.directory mismatch — git 2.35.2+ refuses repos owned by a different uid inside the container. Adding a safe.directory config step before the action resolves this. Also adds a head input and simplifies path args inline.
The runner mounts RUNNER_TEMP/_github_home as /github/home inside the Docker container and sets HOME to that path. Writing safe.directory /tmp into that gitconfig makes git inside the TruffleHog container trust the mounted workspace.
Use docker run directly with -v $GITHUB_WORKSPACE:/repo so the absolute path is mounted explicitly instead of relying on the official action's -v .:/tmp which doesn't resolve correctly on this runner.
Run trufflehog in 'github' mode so it fetches directly from the GitHub API using GITHUB_TOKEN. Avoids all Docker volume mounting entirely.
Use --pr flag with the pull request number so TruffleHog fetches directly via GitHub API, avoiding Docker volume mount issues on k8s runners.
Use 'trufflehog git <remote-url>' with --since-commit and --branch instead of the github subcommand, which doesn't support PR-scoped scanning in the OSS version. This clones directly from GitHub via the API token and avoids Docker volume mount issues on k8s runners.
Parse JSON output and emit ::error file=...,line=...:: annotations so findings appear inline in the PR diff view.
Use -v GITHUB_WORKSPACE:/repo and file:///repo so TruffleHog scans the already-checked-out repo. GITHUB_TOKEN is no longer required.
The official Docker action gets the workspace mounted by GitHub's runner infrastructure directly, bypassing DinD. No GITHUB_TOKEN needed.
Replaces the failed DinD volume-mount experiment with the working remote git clone strategy: TruffleHog clones the repo via oauth2 token URL, scans since the PR base commit, and emits inline GitHub Actions annotations via Python JSON parsing.
Downloads the TruffleHog Linux binary from GitHub Releases at run time and scans the locally checked-out repo (file:// URL). This removes the need for Docker volume mounts (which fail on DinD k8s runners) and removes the GITHUB_TOKEN requirement from the action entirely.
Before running TruffleHog, the script now: 1. Downloads cosign v3.0.5 (pinned, SHA256-verified as trust anchor) 2. Uses cosign to verify TruffleHog's checksums.txt against its cosign certificate + signature from the release 3. Verifies the tarball SHA256 against the verified checksums file
KlausNie
force-pushed
the
feat/security-scan-actions
branch
from
b94b653 to
c105642
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Examples:
Summary
secret_scannerandtrufflehog-package-analysisjobs from the now-deletedflutter-security-checksreusable workflow into standalone composite actionssecret-scan: wrapsmax/secret-scan@masterwith optionalinclude-path/exclude-pathinputstrufflehog-scan: wrapstrufflesecurity/trufflehog@mainwith optionalbase,exclude-paths, andinclude-pathsinputs; caller is expected to checkout withfetch-depth: 0Test plan