Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@joeleonjr
Created August 18, 2023 13:56
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save joeleonjr/b3667bee1e8e1eac002b9929052038ee to your computer and use it in GitHub Desktop.
Save joeleonjr/b3667bee1e8e1eac002b9929052038ee to your computer and use it in GitHub Desktop.
Sample YAML file for integrating TruffleHog Open-Source into an Azure Pipeline.
# Trigger on PRs for code hosted outside Azure Repos (ex: GitHub, GitLab)
# For Azure-hosted code, this won't work. Set up a Build Validation instead.
# Change "main" to apply to different branches.
pr:
- main
# Trigger on Pushes (all repos hosted anywhere)
# Change "main" to apply to different branches.
trigger:
- main
# Define our secrets check job
jobs:
- job: SecretsCheck
# You can use any OS that TruffleHog runs on.
# If you don't use ubuntu, make sure CURL (https://curl.se/)
# and jq (https://jqlang.github.io/jq/) are installed.
pool:
vmImage: ubuntu-latest
steps:
# Get total count of changes in the Push/PR
- script: |
# Set up CURL headers + URI
headers="Authorization: Bearer $(System.AccessToken)"
uri="$(System.TeamFoundationServerUri)$(System.TeamProject)/_apis/build/builds/$(Build.BuildId)/changes"
# Set count of changes in this Push to the ChangesCount variable
ChangesCount=$(echo $(curl -sSL -H "$headers" "$uri") | jq '.count')
# If PR, add 1 to ChangesCount.
if [ "$(Build.Reason)" == "PullRequest" ]; then ChangesCount=$(($ChangesCount+1)); fi
# Export ChangesCount variable for use in other steps
echo "##vso[task.setvariable variable=ChangesCount]$(echo $ChangesCount )"
# Checkout the git repo + set fetchDepth to count of changes
- checkout: self
fetchDepth: $(ChangesCount)
displayName: "Git Checkout"
# Scan for leaked secrets (Open-Source)
- script: |
docker run --rm -v "$(pwd)":/tmp ghcr.io/trufflesecurity/trufflehog:latest \
--only-verified --fail --no-update git file:///tmp/
displayName: "Running TruffleHog (Open-Source)"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment