Skip to content

cloudbees-io/trufflehog-secret-scan-container

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

50 Commits
CODEOWNERS
CODEOWNERS
 
 
LICENSE
LICENSE
 
 
README.adoc
README.adoc
 
 
action.yml
action.yml
 
 

Repository files navigation

CloudBees action: Scan containers with TruffleHog

Use this action to scan Docker images with TruffleHog, an open-source secret scanning tool to detect secrets and sensitive information.

Prerequisites

This action requires prior authentication to the container registry, so you must invoke the Docker registry authentication action before invoking the TruffleHog container scan action. For more information, refer to the OCI credentials configuration action.

Inputs

Table 1. Input details
Input name Data type Required Description

image-location

string

Yes

Repository location of the Docker image.

image-tag

string

Yes

Tag of the Docker image.

threshold-very-high

integer

No

The number threshold of very high severity vulnerabilities at which the build is broken.

only-verified

String

No

Enables the verified flag to scan only verified secrets. The default is true.[1]
Important

[1] If only-verified is set to true, The TruffleHog tool may utilize an external third-party API to verify the secrets detected.

Customers concerned about security implications involving third-party API calls should set the only-verified value to false, which returns all the secrets without verification and might include false positives. Refer to the TruffleHog credential verification documentation for more information.

Usage examples

In your YAML file, add:

      - name: Check out repo
        uses: actions/checkout@v1

      - name: Sign in to OCI registry
        uses: cloudbees-io/configure-oci-credentials@v1
        with:
          registry: ${{ vars.OCI_REGISTRY }}
          username: ${{ secrets.OCI_USERNAME }}
          password: ${{ secrets.OCI_PASSWORD }}

      - name: Run TruffleHog container scan
        uses: cloudbees-io/trufflehog-secret-scan-container@v1
        with:
          image-location: ${{ vars.IMAGE_LOCATION }}
          image-tag: ${{ vars.IMAGE_TAG }}

In the following example, if there are more than three very high severity vulnerabilities identified, the build is broken.

      - name: Run TruffleHog container scan with threshold
        uses: cloudbees-io/trufflehog-secret-scan-container@v1
        with:
          image-location: ${{ vars.IMAGE_LOCATION }}
          image-tag: ${{ vars.IMAGE_TAG }}
          threshold-very-high: 3

In the following example, only-verified is set to false. The returned secrets are not verified and might include false positives.

      - name: Run TruffleHog container scan without verifying
        uses: cloudbees-io/trufflehog-secret-scan-container@v1
        with:
          image-location: ${{ vars.IMAGE_LOCATION }}
          image-tag: ${{ vars.IMAGE_TAG }}
          threshold-very-high: 3
          only-verified: false

License

This code is made available under the MIT license.

References

About

No description or website provided.

Topics

cb-actions

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

5 watching

Forks

0 forks
Report repository

Releases 7

v1 Latest
Nov 4, 2025
+ 6 releases

Packages

 
 
 

Contributors