diff --git a/.github/workflows/trufflehog-scan.yml b/.github/workflows/trufflehog-scan.yml new file mode 100644 index 0000000..17d77a7 --- /dev/null +++ b/.github/workflows/trufflehog-scan.yml @@ -0,0 +1,43 @@ +### +# Foundation-security Trufflehog workflow +# version: 2.0 +### +name: Foundation-Security/Trufflehog Scan + +on: + push: + tags: + - "**" + branches: + - "**" + +jobs: + Trufflehog-Scan: + runs-on: ubuntu-22.04 + permissions: + id-token: write + contents: read + steps: + - name: Checkout source repository + id: checkout-source + uses: actions/checkout@v4 + with: + repository: ${{github.repository}} + ref: ${{ github.ref }} + path: source + token: ${{secrets.GH_SLONIK}} + + - name: Checkout foundation-security repository + id: checkout-foundation-security + uses: actions/checkout@v4 + with: + repository: EnterpriseDB/foundation-security + ref: v2 + path: foundation-security + token: ${{secrets.GH_SLONIK}} + + - name: Secrets Scan + id: call-th-composite + uses: ./foundation-security/actions/trufflehog + with: + cloudsmith-token: ${{ secrets.CLOUDSMITH_READ_ALL }}