Have a github action to compare git-secrets and trufflehog without any configuration update

[commjoen]

Create a multistage pipelien in which we check the performance of

• [ ] git-secrets (https://github.com/awslabs/git-secrets)
• [ ] git-leaks (https://github.com/zricethezav/gitleaks) - https://github.com/gitleaks/gitleaks-action (only commercial? will have to ask for a license key...)
  • [ ] request license key
  • [ ] do scanning
  • [ ] capture result in count
• [ ] trufflehog (https://github.com/trufflesecurity/trufflehog) - https://github.com/marketplace/actions/trufflehog-oss
  • [x] do scanning (see https://github.com/OWASP/wrongsecrets/actions/workflows/scanners.yml, will have to update it with more scanners and capturing)
  • [ ] capture result in count
• [ ] trufflehog3
• [ ] Whispers (https://github.com/Skyscanner/whispers) - https://github.com/Skyscanner/whispers/issues/72
• [ ] Github secret scanning (https://docs.github.com/en/developers/overview/secret-scanning-partner-program)
• [ ] gittyleaks (https://github.com/kootenpv/gittyleaks)
• [ ] git-all-secretss (https://github.com/anshumanbh/git-all-secrets)
• [ ] detect-secrets (https://github.com/Yelp/detect-secrets)
• [ ] Java Sast tool?

for their detection out of the box.

[commjoen]

There is no action yet for git-secrets: see https://github.com/awslabs/git-secrets/issues/214

[swanasingh]

Hello @commjoen is this issue to create multistage pipelien in which we check the performance of all the security tools integrated or to have a github action to compare git-secrets and trufflehog ?

[commjoen]

yes @swanasingh and also the other tools listed in the issue :) , but indeed. the idea would be to create a multi stage pipeline that run on this project which then counts the number of found secrets and compares this per tool as the output like a "performance benchmark"