Use this action to scan Amazon Simple Storage Service (S3) buckets with TruffleHog, an open-source secret scanning tool to detect secrets and sensitive information.
This action requires prior authentication to Amazon Web Services (AWS), so you must invoke the AWS authentication action before invoking the TruffleHog S3 scan action. For more information, refer to the AWS credentials configuration action.
| Input name | Data type | Required | Description |
|---|---|---|---|
|
string |
Yes |
Name of the S3 bucket. |
|
Integer |
No |
The number threshold of very high severity vulnerabilities at which the build is broken. |
|
String |
No |
Enables the verified flag to scan only verified secrets.
The default is |
|
Important
|
[1] If Customers concerned about security implications involving third-party API calls should set the |
In your YAML file, add:
- name: Configure AWS credentials
uses: cloudbees-io/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-2
- name: Run TruffleHog S3 scan
uses: cloudbees-io/trufflehog-secret-scan-s3@v1
with:
bucket-name: "test-bucket"In the following example, if there are more than three very high severity vulnerabilities identified, the build is broken.
- name: Run TruffleHog S3 scan with threshold
uses: cloudbees-io/trufflehog-secret-scan-s3@v1
with:
bucket-name: "test-bucket"
threshold-very-high: 3In the following example, only-verified is set to false.
The returned secrets are not verified and might include false positives.
- name: Run TruffleHog S3 scan without verification
uses: cloudbees-io/trufflehog-secret-scan-s3@v1
with:
bucket-name: "test-bucket"
threshold-very-high: 3
only-verified: falseThis code is made available under the MIT license.
-
Learn more about using actions in CloudBees workflows.
-
Learn about the CloudBees platform.