diff --git a/.github/workflows/secret_scan.yml b/.github/workflows/secret_scan.yml new file mode 100644 index 0000000..4c06dda --- /dev/null +++ b/.github/workflows/secret_scan.yml @@ -0,0 +1,24 @@ +name: Secrets Scan +on: + pull_request: + branches: + - main + +permissions: + contents: read + +jobs: + trufflehog: + runs-on: ubuntu-latest + timeout-minutes: 30 + steps: + - name: Checkout Source + uses: actions/checkout@v2 + with: + fetch-depth: '0' + - name: TruffleHog OSS + uses: trufflesecurity/trufflehog@main + with: + path: ./ + base: main + head: HEAD diff --git a/README.md b/README.md index e47fc07..e597414 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,18 @@ Scan and generate report with custom path go run . scan --org your-org-name --report-path /your/file/path/ ``` +Scan with secrets detection using Trufflehog +> Ensure trufflehog is installed in your machine +```go +go run . detect --org your-org-name +``` + ## Documentation [docs](https://github.com/c0d3G33k/git-alert/tree/main/docs) > Please feel to reach out for any feedback and suggestions + +## Star History + +[![Star History Chart](https://api.star-history.com/svg?repos=boringtools/git-alerts&type=Date)](https://star-history.com/#boringtools/git-alerts&Date) + diff --git a/cmd/detect.go b/cmd/detect.go new file mode 100644 index 0000000..524b697 --- /dev/null +++ b/cmd/detect.go @@ -0,0 +1,35 @@ +package cmd + +import ( + "strconv" + + "github.com/boringtools/git-alerts/common" + "github.com/boringtools/git-alerts/gh" + "github.com/boringtools/git-alerts/logger" + "github.com/boringtools/git-alerts/secrets" + "github.com/spf13/cobra" +) + +var detectCmd = &cobra.Command{ + Use: "detect", + Short: "Scan with secrets detection", + Long: ``, + Run: func(cmd *cobra.Command, args []string) { + envs := map[string]string{ + "org": org, + "rfp": report, + "command": cmd.Use, + "csv": strconv.FormatBool(csv), + } + common.SetEnvs(envs) + + gh.Connecter() + secrets.GetSecrets() + + logger.LogP("Scan ended : ", common.GetTime()) + }, +} + +func init() { + rootCmd.AddCommand(detectCmd) +} diff --git a/cmd/monitor.go b/cmd/monitor.go index 3ab9f21..dfc3a59 100644 --- a/cmd/monitor.go +++ b/cmd/monitor.go @@ -1,13 +1,11 @@ package cmd import ( - "os" "strconv" "github.com/boringtools/git-alerts/common" "github.com/boringtools/git-alerts/gh" - "github.com/boringtools/git-alerts/config" "github.com/boringtools/git-alerts/logger" "github.com/boringtools/git-alerts/reporter" "github.com/spf13/cobra" @@ -29,14 +27,7 @@ var monitorCmd = &cobra.Command{ common.SetEnvs(envs) - _, errScanFile := os.Stat(config.GhFilePaths()[1]) - - if errScanFile != nil { - logger.LogERR("Previous scan files not found") - logger.LogERR("If you are running it for the first time") - logger.LogERR("Please consider running the SCAN command first") - os.Exit(1) - } + common.CheckScanFiles() gh.Connecter() reporter.Notify() logger.LogP("Scan ended : ", common.GetTime()) diff --git a/common/common.go b/common/common.go index 836c433..84bb4dd 100644 --- a/common/common.go +++ b/common/common.go @@ -4,6 +4,7 @@ import ( "os" "time" + "github.com/boringtools/git-alerts/config" "github.com/boringtools/git-alerts/logger" ) @@ -38,6 +39,17 @@ func StartChecks() { } +func CheckScanFiles() { + _, errScanFile := os.Stat(config.GhFilePaths()[1]) + + if errScanFile != nil { + logger.LogERR("Previous scan files not found") + logger.LogERR("If you are running it for the first time") + logger.LogERR("Please consider running the SCAN command first") + os.Exit(1) + } +} + func Start() { currentTime := GetTime() logger.LogP("Scan started : ", currentTime) diff --git a/secrets/get_secrets.go b/secrets/get_secrets.go new file mode 100644 index 0000000..7ab98ca --- /dev/null +++ b/secrets/get_secrets.go @@ -0,0 +1,50 @@ +package secrets + +import ( + "encoding/json" + "os" + "strconv" + + "github.com/boringtools/git-alerts/common" + "github.com/boringtools/git-alerts/config" + "github.com/boringtools/git-alerts/logger" +) + +type Repos struct { + Name string `json:"full_name"` + CloneUrl string `json:"clone_url"` + Fork bool `json:"fork"` +} + +var ( + repo []Repos +) + +func GetSecrets() { + logger.Log("Running secrets scan") + fileContent := common.GetJsonFileContent(config.GhFileNames()[1]) + json.Unmarshal(fileContent, &repo) + + directoryName := "cloned_repo" + directoryPath := os.Getenv("rfp") + directoryName + + _, errDirExists := os.Stat(directoryPath) + + if errDirExists != nil { + CreateDirectory(directoryPath) + } else { + RemoveDirectory(directoryPath) + CreateDirectory(directoryPath) + } + + for key, value := range repo { + if !value.Fork { + cloneDirectory := directoryPath + "/" + strconv.Itoa(key) + tfTarget := "file://" + cloneDirectory + + CloneRepo(value.CloneUrl, cloneDirectory) + RunTruffleHog(tfTarget) + RemoveDirectory(cloneDirectory) + } + } +} diff --git a/secrets/utils.go b/secrets/utils.go new file mode 100644 index 0000000..7773b11 --- /dev/null +++ b/secrets/utils.go @@ -0,0 +1,56 @@ +package secrets + +import ( + "fmt" + "os" + "os/exec" + + "github.com/boringtools/git-alerts/logger" +) + +func CreateDirectory(dirPath string) { + cmd := exec.Command("mkdir", dirPath) + _, err := cmd.Output() + + if err != nil { + logger.LogERRP("Error in running the command : ", err.Error()) + } +} + +func RemoveDirectory(dirPath string) { + cmd := exec.Command("rm", "-rf", dirPath) + _, err := cmd.Output() + + if err != nil { + logger.LogERRP("Error in running the command : ", err.Error()) + } +} + +func CloneRepo(url, dir string) { + cl := exec.Command("git", "clone", url, dir) + _, errCl := cl.Output() + + if errCl != nil { + logger.LogERRP("Error in running the command", errCl.Error()) + } +} + +func RunTruffleHog(file string) { + _, checkTf := exec.LookPath("trufflehog") + + if checkTf != nil { + logger.LogERR("Trufflehog is not installed in your machine") + os.Exit(1) + } + + tf := exec.Command("trufflehog", "git", file, "--only-verified") + op, errTf := tf.Output() + + if errTf != nil { + logger.LogERRP("Error in running the command", errTf.Error()) + } else { + if string(op) != "" { + fmt.Println(string(op)) + } + } +}