Skip to content

Feat/upload trufflehog json artifact #93

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
isaiah-grafana wants to merge 8 commits into from
Closed

Feat/upload trufflehog json artifact #93

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
321c801
Use local workflow reference for org ruleset
isaiah-grafana Oct 7, 2025
e2b4a22
Upload results.json as artifact alongside text report
isaiah-grafana Feb 10, 2026
cb86b57
Fix missing @ref in workflow uses reference
isaiah-grafana Feb 10, 2026
b5907f0
Merge branch 'main' into feat/upload-trufflehog-json-artifact
isaiah-grafana Feb 10, 2026
6ec8602
Add debug step to verify JSON file creation
isaiah-grafana Feb 10, 2026
eb3024f
Point to feature branch for testing JSON artifact
isaiah-grafana Feb 10, 2026
d22eea5
Fix: Ensure results.json always exists before upload
isaiah-grafana Feb 10, 2026
479b6ce
Fix: Upload artifacts from directory to ensure both files are included
isaiah-grafana Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/org-required-trufflehog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ permissions:
jobs:
secret-scan:
name: TruffleHog Secret Scan
uses: grafana/security-github-actions/.github/workflows/reusable-trufflehog.yml@main
uses: grafana/security-github-actions/.github/workflows/reusable-trufflehog.yml@feat/upload-trufflehog-json-artifact
with:
# Monitoring mode - no blocking, just reporting
fail-on-verified: "false" # Don't block on verified secrets (monitoring only)
Expand Down
76 changes: 75 additions & 1 deletion .github/workflows/reusable-trufflehog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,9 @@ jobs:
# Process results
if [[ -s results.ndjson ]]; then
grep -v '^$' results.ndjson | jq -s '.' > results.json 2>/dev/null || echo "[]" > results.json
else
# Ensure results.json exists even if no results
echo "[]" > results.json
fi

# Count secrets
Expand Down Expand Up @@ -188,14 +191,85 @@ jobs:
fi
} > trufflehog_scan.txt

- name: Verify JSON file exists
if: always()
run: |
if [[ -f "results.json" ]]; then
echo "✅ results.json exists"
echo "File size: $(wc -c < results.json) bytes"
echo "JSON validity check:"
if jq empty results.json 2>/dev/null; then
echo "✅ Valid JSON"
echo "Number of findings: $(jq '. | length' results.json)"
else
echo "❌ Invalid JSON"
fi
else
echo "❌ results.json does not exist"
fi

- name: Prepare artifacts for upload
if: always()
run: |
# Ensure results.json exists
if [[ ! -f "results.json" ]]; then
echo "[]" > results.json
echo "Created empty results.json"
fi

# Create artifacts directory and copy files
mkdir -p trufflehog-artifacts
cp trufflehog_scan.txt trufflehog-artifacts/ 2>/dev/null || echo "trufflehog_scan.txt not found"
cp results.json trufflehog-artifacts/ 2>/dev/null || echo "results.json not found"

echo "Files in artifacts directory:"
ls -la trufflehog-artifacts/

- name: Upload scan results
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
if: always()
with:
name: trufflehog_scan
path: trufflehog_scan.txt
path: trufflehog-artifacts/
retention-days: 30

- name: Setup Python for Grafana integration
if: ${{ !cancelled() && (secrets.LOKI_URL != '' || secrets.PROMETHEUS_PUSHGATEWAY_URL != '') }}
uses: actions/setup-python@0b6a380b5a7827e48e69b2e0e596c5c8c2b0e0b0 # v5.1.0
with:
python-version: '3.x'

- name: Install Python dependencies
if: ${{ !cancelled() && (secrets.LOKI_URL != '' || secrets.PROMETHEUS_PUSHGATEWAY_URL != '') }}
run: |
pip install requests

- name: Send findings to Loki
if: ${{ !cancelled() && secrets.LOKI_URL != '' }}
continue-on-error: true
env:
LOKI_URL: ${{ secrets.LOKI_URL }}
LOKI_USERNAME: ${{ secrets.LOKI_USERNAME }}
LOKI_PASSWORD: ${{ secrets.LOKI_PASSWORD }}
REPOSITORY: ${{ github.repository }}
COMMIT_SHA: ${{ github.sha }}
BRANCH: ${{ github.ref_name }}
TRUFFLEHOG_RESULTS_FILE: results.json
run: |
python trufflehog/send-to-loki.py

- name: Send metrics to Prometheus
if: ${{ !cancelled() && secrets.PROMETHEUS_PUSHGATEWAY_URL != '' }}
continue-on-error: true
env:
PROMETHEUS_PUSHGATEWAY_URL: ${{ secrets.PROMETHEUS_PUSHGATEWAY_URL }}
REPOSITORY: ${{ github.repository }}
COMMIT_SHA: ${{ github.sha }}
BRANCH: ${{ github.ref_name }}
TRUFFLEHOG_RESULTS_FILE: results.json
run: |
python trufflehog/send-to-prometheus.py

- name: Check failure policy
env:
FAIL_ON_VERIFIED: ${{ inputs.fail-on-verified }}
Expand Down