Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings
Secret Scan

test: Assert traces_sampler called once #3911

Sign in to view logs

test: Assert traces_sampler called once

test: Assert traces_sampler called once #3911

Workflow file for this run

getsentry/.github/.github/workflows/secret-scan.yml at ff9df441f4cb586d07b729ff9559304bfe775c97
name: Secret Scan
on: [pull_request, merge_group]
jobs:
secret-scan:
name: Secret Scan
runs-on: ubuntu-latest
permissions:
contents: "read"
outputs:
latest_release: ${{ steps.trufflehog_release.outputs.latest_release }}
latest_tag_name: ${{ steps.trufflehog_release.outputs.latest_tag_name }}
steps:
- name: Checkout Code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Install Cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
- name: Pin Trufflehog to a know good release
id: trufflehog_release
shell: bash
# run: |
# LATEST_TAG_NAME=$(curl -s https://api.github.com/repos/trufflesecurity/trufflehog/releases/latest | jq -r .name)
# LATEST_RELEASE=$(echo ${LATEST_TAG_NAME:1})
# echo "latest_tag_name=$LATEST_TAG_NAME" >> "$GITHUB_OUTPUT"
# echo "latest_release=$LATEST_RELEASE" >> "$GITHUB_OUTPUT"
run: |
echo "latest_tag_name=v3.88.25" >> "$GITHUB_OUTPUT"
echo "latest_release=3.88.25" >> "$GITHUB_OUTPUT"
- name: Download and verify TruffleHog release
run: |
curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt
curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem
curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig
curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_linux_amd64.tar.gz
cosign verify-blob trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt \
--certificate trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem \
--signature trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig \
--certificate-identity-regexp 'https://github\.com/trufflesecurity/trufflehog/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
sha256sum --ignore-missing -c trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt
- name: Extract TruffleHog
run: |
tar xzf trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_linux_amd64.tar.gz -C /usr/local/bin
chmod +x /usr/local/bin/trufflehog
- name: Run TruffleHog scan
continue-on-error: true
id: scan
run: |
if [ -e .secret_scan_ignore ]; then
trufflehog git file://. --only-verified --github-actions --fail --exclude-paths=.secret_scan_ignore --exclude-detectors="datadogtoken"
else
trufflehog git file://. --only-verified --github-actions --fail --exclude-detectors="datadogtoken"
fi
- name: Send Alert to SIEM
id: alert
run: |
if [[ -n "${{vars.SECRET_SCAN_SIEM_WEBHOOK_URL}}" ]]; then
curl "${{vars.SECRET_SCAN_SIEM_WEBHOOK_URL}}" \
--data '{"event":"github_secret_scanning", "status":"${{steps.scan.outcome}}", "createdAt":"${{ github.event.pull_request.created_at }}", "repo":"${{ github.repository }}","pull_request":"https://github.com/${{ github.repository }}/pull/${{ github.event.pull_request.number }}","actor":"${{ github.event.pull_request.user.login }}"}'
fi
- name: Fail workflow if secret detected
if: steps.scan.outcome != 'success'
run: exit 1
Morty Proxy This is a proxified and sanitized view of the page, visit original site.