run.sh (1159B)
1 #!/bin/bash 2 set -o pipefail 3 4 cd "$JCI_REPO_ROOT" || exit 1 5 6 REPO_NAME=$(basename "$JCI_REPO_ROOT") 7 SHORT_COMMIT=$(echo "$JCI_COMMIT" | head -c 7) 8 REPORT="$JCI_OUTPUT_DIR/trufflehog-report.txt" 9 10 echo "=== TruffleHog Secret Scan ===" 11 echo "Repo: $REPO_NAME" 12 echo "Commit: $SHORT_COMMIT" 13 echo "Time: $(date '+%Y-%m-%d %H:%M:%S')" 14 echo 15 16 # ── Run trufflehog3 scan (current working tree, no history) ── 17 echo "Scanning current working tree..." 18 trufflehog3 --no-history . > "$REPORT" 2>&1 || true 19 20 echo "Scanning commit history..." 21 trufflehog3 --no-current . >> "$REPORT" 2>&1 || true 22 23 # ── Report findings ────────────────────────────────────────── 24 if [ -s "$REPORT" ]; then 25 FINDINGS=$(grep -c 'MEDIUM\|HIGH\|CRITICAL' "$REPORT" 2>/dev/null || echo "0") 26 echo "⚠️ Found $FINDINGS potential issue(s). See report:" 27 cat "$REPORT" 28 echo 29 echo "Report saved to trufflehog-report.txt" 30 # In production you might: exit 1 31 # For this example, we report but don't fail 32 else 33 echo "✅ No secrets found." 34 fi 35 36 echo "=== Scan Complete ===" 37 exit 0