Login to GitHub and navigate to the settings page of the Organization
From the “Code, planning and automation” section on the left, click on Actions > Runners
Click on the “New runner” button and select “New self-hosted runner”
For this exercise, our self hosted runner is a docker container based on an Ubuntu image.
Do not run any command here, but simply copy the value of the TOKEN shown under “Configure”
The following commands are a one time set up to launch a docker container based on an Ubuntu image, install required tools in it and connect it to GitHub as a self hosted runner.
docker run -it --name gh-runner-ubuntu ubuntu
docker exec -it gh-runner-ubuntu bash
apt install curl sudo wget git -y
adduser app
usermod -aG sudo app
su app
cd ~
mkdir actions-runner && cd actions-runner
curl -o actions-runner-linux-x64-2.297.0.tar.gz -L https://github.com/actions/runner/releases/download/v2.297.0/actions-runner-linux-x64-2.297.0.tar.gz
tar xzf ./actions-runner-linux-x64-2.297.0.tar.gz
mkdir trufflehog && cd trufflehog
wget https://github.com/trufflesecurity/trufflehog/releases/download/v3.14.0/trufflehog_3.14.0_linux_amd64.tar.gz
tar xzf ./trufflehog_3.14.0_linux_amd64.tar.gz
sudo cp trufflehog /usr/bin/
cd ..
./config.sh --url https://github.com/Kloudle --token TOKEN
./run.sh &
A message should print on screen that says “Connected to GitHub”
The runner will be visible (status idle) under https://github.com/organizations/ORG_NAME/settings/actions/runners
, if set up correctly.
Navigate to the repository that you want to perform code secret scanning on
Click on the “Actions” tab
Note: If “Actions” is not visible, it means that either the repo is excluded from Actions settings or Actions is disabled Organization wide. Review the settings under https://github.com/organizations/ORG_NAME/settings/actions
Click on the link under “Actions” to “set up a workflow yourself”
Add the following YAML as main.yml. Note the name of the branch (master/main) and update the YAML as required.
name: Secrets Scanning with GitHub Actions and TruffleHog
# Controls when the workflow will run
on:
# Triggers the workflow on push or pull request events but only for the "master" branch
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: kloudle-runner-testing
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v3
# Runs a single command using the runners shell
- name: Run trufflehog
run: trufflehog --no-update filesystem --directory=${{ github.workspace }} --json > /tmp/trufflehog.json
# Upload the scan output
- name: Upload the scan output
uses: actions/upload-artifact@v2
with:
name: scan_results
path: /tmp/trufflehog.json
retention-days: 2
The YAML creates a workflow that will allow the runner to checkout the repo whenever a push or a pull request is created to the “main” branch, and run TruffleHog on it. The runner will end the job after the scan results are uploaded to GitHub.
Click on “Start commit” and commit the workflow file to trigger a job.
You can download the results from the scan under the “Actions” > Workflow run > Artifacts as shown in the screenshot below