name: secret scanning trufflehog3 setup
author: Bolt lee
description: 'This action sets init repo setup .'
inputs:
  project:
    description: ''
    required: false
    default: 'temp'
  branch:
    description: ''
    required: true
    default: ''
  pat:
    description: ''
    required: true
    default: ''
outputs:
  is_secret:
    description: ''
    value: ${{ steps.result.outputs.IS_SECRET }}
  severity:
    description: ''
    value: ${{ steps.result.outputs.SEVERITY }}
  URL:
    description: ''
    value: ${{ steps.url.outputs.URL }}

runs:
  using: "composite"
  steps:
    - name: install trufflehog3
      shell: bash
      run: |
        pip3 install trufflehog3
    - name: mv config files(Trufflehog3 & Rules)
      shell: bash
      run: |
        if [[ ${{ inputs.project }} != "temp" ]]; then
          echo "Project=${{ inputs.project }}"
          mv ${GITHUB_WORKSPACE}/actions/security/code-scanning/rules/project/${{ inputs.project }}/rules.yml ${GITHUB_WORKSPACE}
        fi
        if [[ -f ${GITHUB_WORKSPACE}/.trufflehog3.yml ]]; then
          echo "File (.trufflehog3.yml) is already in Head repository."
        else
          echo "There are currently no files in this Head repository, so get them from the gx-gh-actions repo."
          mv ${GITHUB_WORKSPACE}/actions/security/code-scanning/rules/common/.trufflehog3.yml ${GITHUB_WORKSPACE}
        fi
        mv ${GITHUB_WORKSPACE}/actions/security/code-scanning/rules/common/common_rules.yml ${GITHUB_WORKSPACE}
        echo " ============== Check config files =============="
        ls -al ${GITHUB_WORKSPACE}
    - name: Scanning Secrets(Common high)
      shell: bash
      run: |
        trufflehog3 -z -r ${GITHUB_WORKSPACE}/common_rules.yml --no-entropy --context 10 --severity HIGH --branch ${{ inputs.branch }}
    - name: Scanning Secrets(Common medium)
      shell: bash
      run: |
        trufflehog3 -z -r ${GITHUB_WORKSPACE}/common_rules.yml --no-entropy --context 10 --severity MEDIUM --branch ${{ inputs.branch }}
    - name: Scanning Secrets(Common low)
      shell: bash
      run: |
        trufflehog3 -z -r ${GITHUB_WORKSPACE}/common_rules.yml --no-entropy --context 10 --severity LOW --branch ${{ inputs.branch }}

    - name: Scanning Secrets(Project)
      shell: bash
      run: |
        if [[ ${{ inputs.project }} != "temp" ]]; then
          trufflehog3 -z -r ${GITHUB_WORKSPACE}/rules.yml --no-entropy --context 10 --severity HIGH --branch ${{ inputs.branch }}
        fi
    - name: is_secret
      shell: bash
      id: result
      run: |
        echo "IS_SECRET=false" >> $GITHUB_OUTPUT
        echo "SEVERITY=false" >> $GITHUB_OUTPUT
        project_length=0

        if [[ ${{ inputs.project }} != "temp" ]]; then
          echo "========= Start Project ============"
          trufflehog3 -z -r ${GITHUB_WORKSPACE}/rules.yml --no-entropy --context 10 --severity HIGH --branch ${{ inputs.branch }} --format json --output project_report.json
          project_length=`jq length project_report.json`
          sleep 10s
        fi

        echo "========= Start Common ============"

        trufflehog3 -z -r ${GITHUB_WORKSPACE}/common_rules.yml --no-entropy --context 10 --severity HIGH --branch ${{ inputs.branch }} --format json --output common_high_report.json
        sleep 5s
        trufflehog3 -z -r ${GITHUB_WORKSPACE}/common_rules.yml --no-entropy --context 10 --severity MEDIUM --branch ${{ inputs.branch }} --format json --output common_medium_report.json
        sleep 5s
        trufflehog3 -z -r ${GITHUB_WORKSPACE}/common_rules.yml --no-entropy --context 10 --severity LOW --branch ${{ inputs.branch }} --format json --output common_low_report.json

        common_high_length=`jq length common_high_report.json`
        common_medium_length=`jq length common_medium_report.json`
        common_low_length=`jq length common_low_report.json`
        total_common_length=$(($common_high_length+$common_medium_length+$common_low_length))

        if [[ $project_length -gt 0 ]] || [[ $total_common_length -gt 0 ]] ; then
          echo "==================== Detect Secret ===================="
          echo "IS_SECRET=true" >> $GITHUB_OUTPUT
          echo "SEVERITY=MEDIUM" >> $GITHUB_OUTPUT

          if [[ $common_high_length -gt 0 ]]; then
            echo "SEVERITY=HIGH" >> $GITHUB_OUTPUT
          fi
        fi
    - name: gh auth login
      shell: bash
      run: |
        echo ${{ env.PAT }} | gh auth login --with-token
      env:
        PAT: ${{ inputs.pat }}
    - name: get url
      shell: bash
      id: url
      run: |
        gh api -H "Accept: application/vnd.github+json" /repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/jobs > jobs_output.json
        cat jobs_output.json | yq '.jobs[].html_url'
        URL=`cat jobs_output.json | yq '.jobs[].html_url'`
        echo "URL=$URL" >> $GITHUB_OUTPUT
    - name: check result
      shell: bash
      run: |
        echo "IS_SECRET: ${{ steps.result.outputs.IS_SECRET }}"
        echo "SEVERITY: ${{ steps.result.outputs.SEVERITY }}"
        echo "URL: ${{ steps.url.outputs.URL }}"