Added rule to check for Trufflehog Github action (#249)

* Added rule for TruffleHog
mindersec · Dec 19, 2024 · 5fbd7c1 · 5fbd7c1
1 parent 4484e16
commit 5fbd7c1
Show file tree

Hide file tree

Showing 4 changed files with 99 additions and 0 deletions.
diff --git a/rule-types/github/trufflehog_github_action.test.yaml b/rule-types/github/trufflehog_github_action.test.yaml
@@ -0,0 +1,13 @@
+tests:
+  - name: "Should have TruffleHog enabled"
+    def: {}
+    params: {}
+    expect: "pass"
+    git:
+      repo_base: github_action_with_trufflehog
+  - name: "Should not have Renovate enabled"
+    def: {}
+    params: {}
+    expect: "fail"
+    git:
+      repo_base: github_action_without_trufflehog
diff --git a/...og_github_action.testdata/github_action_with_trufflehog/.github/workflows/trufflehog.yaml b/...og_github_action.testdata/github_action_with_trufflehog/.github/workflows/trufflehog.yaml
@@ -0,0 +1,19 @@
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Secret Scanning
+      uses: trufflesecurity/[email protected]
+      with:
+        extra_args: --results=verified,unknown
+
diff --git a/...ub_action.testdata/github_action_without_trufflehog/.github/workflows/not-trufflehog.yaml b/...ub_action.testdata/github_action_without_trufflehog/.github/workflows/not-trufflehog.yaml
@@ -0,0 +1,15 @@
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
diff --git a/rule-types/github/trufflehog_github_action.yaml b/rule-types/github/trufflehog_github_action.yaml
@@ -0,0 +1,52 @@
+---
+version: v1
+release_phase: alpha
+type: rule-type
+name: trufflehog_github_action
+display_name: Prevent Secret Exposure using TruffleHog GitHub Action
+short_failure_message: TruffleHog is not configured via a GitHub action
+severity:
+  value: medium
+context: {}
+description: |
+  Verifies that automated secret detection is implemented using TruffleHog GitHub 
+  Action to scan repositories for exposed secrets and sensitive information. 
+  This is crucial for preventing data breaches and unauthorized access that 
+  could occur from accidentally committed credentials, API keys, or other 
+  sensitive data. Regular scanning helps maintain security compliance and protects your organization's assets.
+
+  For technical details, see the [TruffleHog documentation](https://github.com/trufflesecurity/trufflehog) 
+  and [GitHub Action implementation guide](https://github.com/marketplace/actions/trufflehog-oss).
+guidance: |
+  Ensure that TruffleHog is configured and enabled for the repository.
+
+  For more information, see the [TruffleHog GitHub Action](https://github.com/marketplace/actions/trufflehog-oss#octocat-trufflehog-github-action documentation.
+def:
+  in_entity: repository
+  rule_schema:
+    type: object
+    properties: {}
+  ingest:
+    type: git
+    git: {}
+  eval:
+    type: rego
+    rego:
+      type: deny-by-default
+      def: |
+        package minder
+        
+        import rego.v1
+
+        actions := github_workflow.ls_actions("./.github/workflows")
+
+        default message := "No TruffleHog GitHub action found for automated secret detection"
+        default allow := false
+        allow if {
+          # check that there is a trufflehog action
+          "trufflesecurity/trufflehog" in actions
+        }
+  # Defines the configuration for alerting on the rule
+  alert:
+    type: security_advisory
+    security_advisory: {}