Added support for secret scanning

.github/workflows/secret_scan.yml

@@ -0,0 +1,24 @@
+name: Secrets Scan
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  trufflehog:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: '0'
+      - name: TruffleHog OSS
+        uses: trufflesecurity/trufflehog@main
+        with:
+          path: ./
+          base: main
+          head: HEAD

README.md

@@ -58,7 +58,18 @@ Scan and generate report with custom path
 go run . scan --org your-org-name --report-path /your/file/path/
 ```
 
+Scan with secrets detection using Trufflehog
+> Ensure trufflehog is installed in your machine
+```go
+go run . detect --org your-org-name
+```
+
 ## Documentation
 
 [docs](https://github.com/c0d3G33k/git-alert/tree/main/docs)
 > Please feel to reach out for any feedback and suggestions
+
+## Star History
+
+[![Star History Chart](https://api.star-history.com/svg?repos=boringtools/git-alerts&type=Date)](https://star-history.com/#boringtools/git-alerts&Date)
+

cmd/detect.go

@@ -0,0 +1,35 @@
+package cmd
+
+import (
+	"strconv"
+
+	"github.com/boringtools/git-alerts/common"
+	"github.com/boringtools/git-alerts/gh"
+	"github.com/boringtools/git-alerts/logger"
+	"github.com/boringtools/git-alerts/secrets"
+	"github.com/spf13/cobra"
+)
+
+var detectCmd = &cobra.Command{
+	Use:   "detect",
+	Short: "Scan with secrets detection",
+	Long:  ``,
+	Run: func(cmd *cobra.Command, args []string) {
+		envs := map[string]string{
+			"org":     org,
+			"rfp":     report,
+			"command": cmd.Use,
+			"csv":     strconv.FormatBool(csv),
+		}
+		common.SetEnvs(envs)
+
+		gh.Connecter()
+		secrets.GetSecrets()
+
+		logger.LogP("Scan ended : ", common.GetTime())
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(detectCmd)
+}

cmd/monitor.go

@@ -1,13 +1,11 @@
 package cmd
 
 import (
-	"os"
 	"strconv"
 
 	"github.com/boringtools/git-alerts/common"
 	"github.com/boringtools/git-alerts/gh"
 
-	"github.com/boringtools/git-alerts/config"
 	"github.com/boringtools/git-alerts/logger"
 	"github.com/boringtools/git-alerts/reporter"
 	"github.com/spf13/cobra"
@@ -29,14 +27,7 @@ var monitorCmd = &cobra.Command{
 
 		common.SetEnvs(envs)
 
-		_, errScanFile := os.Stat(config.GhFilePaths()[1])
-
-		if errScanFile != nil {
-			logger.LogERR("Previous scan files not found")
-			logger.LogERR("If you are running it for the first time")
-			logger.LogERR("Please consider running the SCAN command first")
-			os.Exit(1)
-		}
+		common.CheckScanFiles()
 		gh.Connecter()
 		reporter.Notify()
 		logger.LogP("Scan ended : ", common.GetTime())

common/common.go

@@ -4,6 +4,7 @@ import (
 	"os"
 	"time"
 
+	"github.com/boringtools/git-alerts/config"
 	"github.com/boringtools/git-alerts/logger"
 )
 
@@ -38,6 +39,17 @@ func StartChecks() {
 
 }
 
+func CheckScanFiles() {
+	_, errScanFile := os.Stat(config.GhFilePaths()[1])
+
+	if errScanFile != nil {
+		logger.LogERR("Previous scan files not found")
+		logger.LogERR("If you are running it for the first time")
+		logger.LogERR("Please consider running the SCAN command first")
+		os.Exit(1)
+	}
+}
+
 func Start() {
 	currentTime := GetTime()
 	logger.LogP("Scan started : ", currentTime)

secrets/get_secrets.go

@@ -0,0 +1,50 @@
+package secrets
+
+import (
+	"encoding/json"
+	"os"
+	"strconv"
+
+	"github.com/boringtools/git-alerts/common"
+	"github.com/boringtools/git-alerts/config"
+	"github.com/boringtools/git-alerts/logger"
+)
+
+type Repos struct {
+	Name     string `json:"full_name"`
+	CloneUrl string `json:"clone_url"`
+	Fork     bool   `json:"fork"`
+}
+
+var (
+	repo []Repos
+)
+
+func GetSecrets() {
+	logger.Log("Running secrets scan")
+	fileContent := common.GetJsonFileContent(config.GhFileNames()[1])
+	json.Unmarshal(fileContent, &repo)
+
+	directoryName := "cloned_repo"
+	directoryPath := os.Getenv("rfp") + directoryName
+
+	_, errDirExists := os.Stat(directoryPath)
+
+	if errDirExists != nil {
+		CreateDirectory(directoryPath)
+	} else {
+		RemoveDirectory(directoryPath)
+		CreateDirectory(directoryPath)
+	}
+
+	for key, value := range repo {
+		if !value.Fork {
+			cloneDirectory := directoryPath + "/" + strconv.Itoa(key)
+			tfTarget := "file://" + cloneDirectory
+
+			CloneRepo(value.CloneUrl, cloneDirectory)
+			RunTruffleHog(tfTarget)
+			RemoveDirectory(cloneDirectory)
+		}
+	}
+}

secrets/utils.go

@@ -0,0 +1,56 @@
+package secrets
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+
+	"github.com/boringtools/git-alerts/logger"
+)
+
+func CreateDirectory(dirPath string) {
+	cmd := exec.Command("mkdir", dirPath)
+	_, err := cmd.Output()
+
+	if err != nil {
+		logger.LogERRP("Error in running the command : ", err.Error())
+	}
+}
+
+func RemoveDirectory(dirPath string) {
+	cmd := exec.Command("rm", "-rf", dirPath)
+	_, err := cmd.Output()
+
+	if err != nil {
+		logger.LogERRP("Error in running the command : ", err.Error())
+	}
+}
+
+func CloneRepo(url, dir string) {
+	cl := exec.Command("git", "clone", url, dir)
+	_, errCl := cl.Output()
+
+	if errCl != nil {
+		logger.LogERRP("Error in running the command", errCl.Error())
+	}
+}
+
+func RunTruffleHog(file string) {
+	_, checkTf := exec.LookPath("trufflehog")
+
+	if checkTf != nil {
+		logger.LogERR("Trufflehog is not installed in your machine")
+		os.Exit(1)
+	}
+
+	tf := exec.Command("trufflehog", "git", file, "--only-verified")
+	op, errTf := tf.Output()
+
+	if errTf != nil {
+		logger.LogERRP("Error in running the command", errTf.Error())
+	} else {
+		if string(op) != "" {
+			fmt.Println(string(op))
+		}
+	}
+}