Scan Your GitHub Workflow Artifacts for Leaked Secrets with PowerShell and TruffleHog
In this post, Jesse Houwing provides a practical PowerShell script for scanning GitHub workflow artifacts for leaked secrets. Learn how the script leverages TruffleHog and covers setup, execution, and best practices for securing your repositories.
Scan Your GitHub Workflow Artifacts for Leaked Secrets
Author: Jesse Houwing
Context
This article responds to Major GitHub repos leak access tokens putting code and clouds at risk. The referenced report highlights how build artifacts generated by GitHub Actions may inadvertently contain access tokens, potentially allowing attackers to inject malicious code or compromise cloud infrastructure.
PowerShell Script to Audit Secrets in GitHub Artifacts
To help address this risk, I (Jesse Houwing) created a PowerShell script that scans a GitHub organization or select repositories for accidentally leaked secrets within workflow run artifacts, using TruffleHog as the secrets scanning engine.
Script Dependencies
- TruffleHog (for secrets scanning)
- GitHub CLI (gh) (for authenticating and investigating within GitHub)
- jq (for working with paginated JSON responses)
Script Overview
Below is the main PowerShell script (scan-artifacts.ps1).
# Scan all your workflow runs for accidental leaks of secrets in artifacts
#
# Created by: Jesse Houwing - Xebia
# License: MIT
#
# Attribution required
# Requirements
# - trufflehog: https://github.com/trufflesecurity/trufflehog
# - GitHub CLI: https://github.com/cli/cli
# - jq: https://jqlang.github.io/jq/download/
function scan-artifacts {
param(
[Parameter(Mandatory = $true)]
[string]$org,
[string[]]$repos
)
begin {
if (($null -eq $repos) -and ($repos.Count -eq 0)) {
$repos = get-repos -org $org
}
}
process {
foreach ($repo in $repos) {
$downloaded = $false
# Query all workflow runs for the repo
write-host "$org/$repo"
$workflowRuns = (& gh api /repos/$org/$($repo)/actions/runs --paginate --jq '.workflow_runs[].id' 2>$null | & jq -s | ConvertFrom-Json)
# Query all artifacts for each workflow run
foreach ($workflowRun in $workflowRuns) {
$tempfolder = "./runs/$org/$repo/$workflowRun"
---
layout: "post"
title: "Scan Your GitHub Workflow Artifacts for Leaked Secrets with PowerShell and TruffleHog"
description: "Jesse Houwing addresses the risk of secret leaks in GitHub Actions workflow artifacts by sharing a PowerShell script that scans an entire GitHub organization or select repositories for exposed tokens using TruffleHog. The guide details script usage, setup, exclusion patterns, and suggested remediation steps."
author: "Jesse Houwing"
excerpt_separator: <!--excerpt_end-->
canonical_url: "https://jessehouwing.net/github-actions-scan-all-workflow-artifacts-for-leaked-secrets/"
viewing_mode: "external"
feed_name: "Jesse Houwing's Blog"
feed_url: https://jessehouwing.net/rss/
date: 2024-08-19 21:24:47 +00:00
permalink: "2024-08-19-Scan-Your-GitHub-Workflow-Artifacts-for-Leaked-Secrets-with-PowerShell-and-TruffleHog.html"
categories: ["DevOps", "Security"]
tags: ["Access Tokens", "Cloud Security", "DevOps", "DevSecOps", "GitHub", "GitHub Actions", "GitHub CLI", "JQ", "Posts", "PowerShell", "Secrets Scanning", "Security", "TruffleHog", "Workflow Artifacts", "Workflow Automation"]
tags_normalized: [["access tokens", "cloud security", "devops", "devsecops", "github", "github actions", "github cli", "jq", "posts", "powershell", "secrets scanning", "security", "trufflehog", "workflow artifacts", "workflow automation"]]
---
In this post, Jesse Houwing provides a practical PowerShell script for scanning GitHub workflow artifacts for leaked secrets. Learn how the script leverages TruffleHog and covers setup, execution, and best practices for securing your repositories.<!--excerpt_end-->
This post appeared first on "Jesse Houwing's Blog". [Read the entire article here](https://jessehouwing.net/github-actions-scan-all-workflow-artifacts-for-leaked-secrets/)
= New-Item -Path . -Name $tempfolder -ItemType Directory -Force
if (test-path "$tempfolder/*") {
$downloaded = $true
continue
}
---
layout: "post"
title: "Scan Your GitHub Workflow Artifacts for Leaked Secrets with PowerShell and TruffleHog"
description: "Jesse Houwing addresses the risk of secret leaks in GitHub Actions workflow artifacts by sharing a PowerShell script that scans an entire GitHub organization or select repositories for exposed tokens using TruffleHog. The guide details script usage, setup, exclusion patterns, and suggested remediation steps."
author: "Jesse Houwing"
excerpt_separator: <!--excerpt_end-->
canonical_url: "https://jessehouwing.net/github-actions-scan-all-workflow-artifacts-for-leaked-secrets/"
viewing_mode: "external"
feed_name: "Jesse Houwing's Blog"
feed_url: https://jessehouwing.net/rss/
date: 2024-08-19 21:24:47 +00:00
permalink: "2024-08-19-Scan-Your-GitHub-Workflow-Artifacts-for-Leaked-Secrets-with-PowerShell-and-TruffleHog.html"
categories: ["DevOps", "Security"]
tags: ["Access Tokens", "Cloud Security", "DevOps", "DevSecOps", "GitHub", "GitHub Actions", "GitHub CLI", "JQ", "Posts", "PowerShell", "Secrets Scanning", "Security", "TruffleHog", "Workflow Artifacts", "Workflow Automation"]
tags_normalized: [["access tokens", "cloud security", "devops", "devsecops", "github", "github actions", "github cli", "jq", "posts", "powershell", "secrets scanning", "security", "trufflehog", "workflow artifacts", "workflow automation"]]
---
In this post, Jesse Houwing provides a practical PowerShell script for scanning GitHub workflow artifacts for leaked secrets. Learn how the script leverages TruffleHog and covers setup, execution, and best practices for securing your repositories.<!--excerpt_end-->
This post appeared first on "Jesse Houwing's Blog". [Read the entire article here](https://jessehouwing.net/github-actions-scan-all-workflow-artifacts-for-leaked-secrets/)
= gh run download $workflowRun --dir "$tempfolder" --pattern "*" --repo "$org/$repo" 2>$null
if ($LASTEXITCODE -ne 0) {
continue
}
$downloaded = $true
}
if ($downloaded) {
docker run --rm -it -v "${PWD}:/pwd" trufflesecurity/trufflehog:latest filesystem "/pwd/runs/$org/$repo" --no-update --fail --json --exclude-paths=/pwd/scan-artifacts-ignore.txt
if ($LASTEXITCODE -ne 0) {
write-host "Found secrets in artifacts for /$org/$repo" -ForegroundColor red
}
}
}
}
}
function get-repos {
param([Parameter(Mandatory = $true)] [string]$org)
return (& gh api /orgs/$org/repos --paginate --jq '.[].name' 2>$null)
}
# scan-artifacts -org "your-org" [-repos @("your-repo")]
How to Use
1. Save the Script
Save the script to a file named scan-artifacts.ps1.
2. Run the Script
To scan all repositories in an organization:
. .\scan-artifacts.ps1
scan-artifacts -org "your-org"
To scan specific repositories:
. .\scan-artifacts.ps1
scan-artifacts -org "your-org" -repos @("repo1", "repo2")
3. Exclude Paths to Reduce False Positives
Some directories, such as /node_modules, can generate excessive false positives. To exclude files or folders, add them (one regex per line) to scan-artifacts-ignore.txt in the script directory, for example:
/node_modules/
Operational Notes
- The script downloads all workflow artifacts locally. For large orgs, this may require large amounts of disk space (e.g., 50GB).
- Previously scanned runs are skipped, allowing you to rerun and only fetch new data.
- If you want to remove scan results after processing, delete the
./runsdirectory.
Recommended Remediation Steps
- Rotate any secrets found.
- Verify tokens have not been used to tamper with your code or artifacts.
- Delete workflow runs containing exposed secrets.
Supporting the Author
If this script was helpful in securing your repositories, consider sponsoring Jesse Houwing on GitHub Sponsors.
References
- Article: Major GitHub repos leak access tokens putting code and clouds at risk
- PowerShell script and instructions by Jesse Houwing
- TruffleHog
- GitHub CLI
Stay vigilant and regularly scan your repositories for unintended sensitive data exposure!
This post appeared first on “Jesse Houwing’s Blog”. Read the entire article here