Sample YAML file for integrating TruffleHog Open-Source into an Azure Pipeline.

azure-pipelines.yml

# Trigger on PRs for code hosted outside Azure Repos (ex: GitHub, GitLab)
# For Azure-hosted code, this won't work. Set up a Build Validation instead.
# Change "main" to apply to different branches.
pr:
- main

# Trigger on Pushes (all repos hosted anywhere)
# Change "main" to apply to different branches.
trigger:
  - main

# Define our secrets check job
jobs:
- job: SecretsCheck
 
  # You can use any OS that TruffleHog runs on.
  # If you don't use ubuntu, make sure CURL (https://curl.se/)
  # and jq (https://jqlang.github.io/jq/) are installed. 
  pool:
    vmImage: ubuntu-latest

  steps:

  # Get total count of changes in the Push/PR
  - script: |

      # Set up CURL headers + URI
      headers="Authorization: Bearer $(System.AccessToken)"
      uri="$(System.TeamFoundationServerUri)$(System.TeamProject)/_apis/build/builds/$(Build.BuildId)/changes"
      
      # Set count of changes in this Push to the ChangesCount variable
      ChangesCount=$(echo $(curl -sSL -H "$headers" "$uri") | jq '.count')

      # If PR, add 1 to ChangesCount.
      if [ "$(Build.Reason)" == "PullRequest" ]; then ChangesCount=$(($ChangesCount+1)); fi

      # Export ChangesCount variable for use in other steps
      echo "##vso[task.setvariable variable=ChangesCount]$(echo $ChangesCount )"
    
  # Checkout the git repo + set fetchDepth to count of changes
  - checkout: self
    fetchDepth: $(ChangesCount)
    displayName: "Git Checkout"

  # Scan for leaked secrets (Open-Source)
  - script: |
      docker run --rm -v "$(pwd)":/tmp ghcr.io/trufflesecurity/trufflehog:latest \
      --only-verified --fail --no-update git file:///tmp/
    displayName: "Running TruffleHog (Open-Source)"