feat(secret-scanning): Forward alerts to Panther (#142)

* send failed result to panther * rename variables * remove unnecessary `<`
getsentry · Sep 26, 2024 · 98ced25 · 98ced25
1 parent cd530b6
commit 98ced25
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
@@ -54,9 +54,20 @@ jobs:
           chmod +x /usr/local/bin/trufflehog
 
       - name: Run TruffleHog scan
+        id: scan
         run: |
           if [ -e .secret_scan_ignore ]; then
             trufflehog git file://. --only-verified --github-actions --fail --exclude-paths=.secret_scan_ignore --exclude-detectors="datadogtoken"
           else
             trufflehog git file://. --only-verified --github-actions --fail --exclude-detectors="datadogtoken"
           fi
+      - name: Send Alert to Panther
+        id: alert
+        if: steps.scan.outcome != 'success'
+        run: |
+          curl "${{vars.SECRET_SCAN_PANTHER_WEBHOOK_URL}}" \
+            --header "Authorization: Bearer ${{ secrets.SECRET_SCAN_PANTHER_WEBHOOK_HEADER }}" \
+            --data '{"event":"github_secret_scanning_failed", createdAt:"${{ github.event.pull_request.created_at }}", "repo":"${{ github.repository }}","pull_request":"https://github.com/${{ github.repository }}/pull/${{ github.event.pull_request.number }}"","actor":"${{ github.event.pull_request.user.login }}"}'
+      - name: Fail workflow if secret detected
+        if: steps.scan.outcome != 'success'
+        run: exit 1