From 32e3a0a3bfeb8c07a2cf077ad4d6c5ce3232172f Mon Sep 17 00:00:00 2001
From: mesembria <phil@stacklok.com>
Date: Thu, 19 Dec 2024 11:50:56 -0500
Subject: [PATCH] Added rule for TruffleHog

---
 .../github/trufflehog_github_action.test.yaml | 13 +++++
 .../.github/workflows/trufflehog.yaml         | 19 +++++++
 .../.github/workflows/not-trufflehog.yaml     | 15 ++++++
 .../github/trufflehog_github_action.yaml      | 52 +++++++++++++++++++
 4 files changed, 99 insertions(+)
 create mode 100644 rule-types/github/trufflehog_github_action.test.yaml
 create mode 100644 rule-types/github/trufflehog_github_action.testdata/github_action_with_trufflehog/.github/workflows/trufflehog.yaml
 create mode 100644 rule-types/github/trufflehog_github_action.testdata/github_action_without_trufflehog/.github/workflows/not-trufflehog.yaml
 create mode 100644 rule-types/github/trufflehog_github_action.yaml

diff --git a/rule-types/github/trufflehog_github_action.test.yaml b/rule-types/github/trufflehog_github_action.test.yaml
new file mode 100644
index 0000000..fe39caa
--- /dev/null
+++ b/rule-types/github/trufflehog_github_action.test.yaml
@@ -0,0 +1,13 @@
+tests:
+  - name: "Should have TruffleHog enabled"
+    def: {}
+    params: {}
+    expect: "pass"
+    git:
+      repo_base: github_action_with_trufflehog
+  - name: "Should not have Renovate enabled"
+    def: {}
+    params: {}
+    expect: "fail"
+    git:
+      repo_base: github_action_without_trufflehog
\ No newline at end of file
diff --git a/rule-types/github/trufflehog_github_action.testdata/github_action_with_trufflehog/.github/workflows/trufflehog.yaml b/rule-types/github/trufflehog_github_action.testdata/github_action_with_trufflehog/.github/workflows/trufflehog.yaml
new file mode 100644
index 0000000..fc9fa71
--- /dev/null
+++ b/rule-types/github/trufflehog_github_action.testdata/github_action_with_trufflehog/.github/workflows/trufflehog.yaml
@@ -0,0 +1,19 @@
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Secret Scanning
+      uses: trufflesecurity/trufflehog@v3.86.1
+      with:
+        extra_args: --results=verified,unknown
+  
\ No newline at end of file
diff --git a/rule-types/github/trufflehog_github_action.testdata/github_action_without_trufflehog/.github/workflows/not-trufflehog.yaml b/rule-types/github/trufflehog_github_action.testdata/github_action_without_trufflehog/.github/workflows/not-trufflehog.yaml
new file mode 100644
index 0000000..1659306
--- /dev/null
+++ b/rule-types/github/trufflehog_github_action.testdata/github_action_without_trufflehog/.github/workflows/not-trufflehog.yaml
@@ -0,0 +1,15 @@
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+  
\ No newline at end of file
diff --git a/rule-types/github/trufflehog_github_action.yaml b/rule-types/github/trufflehog_github_action.yaml
new file mode 100644
index 0000000..1fb9f65
--- /dev/null
+++ b/rule-types/github/trufflehog_github_action.yaml
@@ -0,0 +1,52 @@
+---
+version: v1
+release_phase: alpha
+type: rule-type
+name: trufflehog_github_action
+display_name: Prevent Secret Exposure using TruffleHog GitHub Action
+short_failure_message: TruffleHog is not configured via a GitHub action
+severity:
+  value: medium
+context: {}
+description: |
+  Verifies that automated secret detection is implemented using TruffleHog GitHub 
+  Action to scan repositories for exposed secrets and sensitive information. 
+  This is crucial for preventing data breaches and unauthorized access that 
+  could occur from accidentally committed credentials, API keys, or other 
+  sensitive data. Regular scanning helps maintain security compliance and protects your organization's assets.
+
+  For technical details, see the [TruffleHog documentation](https://github.com/trufflesecurity/trufflehog) 
+  and [GitHub Action implementation guide](https://github.com/marketplace/actions/trufflehog-oss).
+guidance: |
+  Ensure that TruffleHog is configured and enabled for the repository.
+
+  For more information, see the [TruffleHog GitHub Action](https://github.com/marketplace/actions/trufflehog-oss#octocat-trufflehog-github-action documentation.
+def:
+  in_entity: repository
+  rule_schema:
+    type: object
+    properties: {}
+  ingest:
+    type: git
+    git: {}
+  eval:
+    type: rego
+    rego:
+      type: deny-by-default
+      def: |
+        package minder
+        
+        import rego.v1
+
+        actions := github_workflow.ls_actions("./.github/workflows")
+
+        default message := "No TruffleHog GitHub action found for automated secret detection"
+        default allow := false
+        allow if {
+          # check that there is a trufflehog action
+          "trufflesecurity/trufflehog" in actions
+        }
+  # Defines the configuration for alerting on the rule
+  alert:
+    type: security_advisory
+    security_advisory: {}
\ No newline at end of file