Skip to content
Entropy Beauty + TruffleHog Scan

chore(deps): bump jupiterVersion from 5.11.3 to 6.0.3 #108

Sign in to view logs

chore(deps): bump jupiterVersion from 5.11.3 to 6.0.3

chore(deps): bump jupiterVersion from 5.11.3 to 6.0.3 #108

Workflow file for this run

.github/workflows/entropy-beauty-scan.yml at 4df6dc9
name: Entropy Beauty + TruffleHog Scan
on: [push, release, pull_request, pull_request_target]
permissions:
contents: read
pull-requests: write
issues: write # must be at workflow level for push/merge events
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code (full history)
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Run TruffleHog
uses: trufflesecurity/trufflehog@main
with:
path: .
extra_args: --results=verified,unknown --filter-entropy=3.5 --json
- name: Compute mid-4 beauty entropy
run: python .github/workflows/compute-entropy.py
- name: Post summary comment (PR only)
if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target'
uses: actions/github-script@v8
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const fs = require('fs');
// Read TruffleHog output — it prints one JSON object per line (NDJSON)
let findings = [];
if (fs.existsSync('trufflehog.json')) {
try {
const lines = fs.readFileSync('trufflehog.json', 'utf8').trim().split('\n');
findings = lines.map(line => {
try { return JSON.parse(line); } catch(e) { return null; }
}).filter(Boolean);
} catch(e) {}
} else {
// Fallback: the action also logs to GITHUB_STEP_SUMMARY, but we use the file from the Python step
console.log("No trufflehog.json found, using empty findings");
}
const beauty = JSON.parse(fs.readFileSync('/tmp/beauty.json', 'utf8'));
let body = `## 🐷 TruffleHog + Entropy Beauty Scan\n\n`;
body += `**Average entropy of changed code:** ${beauty.average_entropy} bits/char\n`;
body += `**Verdict:** ${beauty.verdict}\n\n`;
if (beauty.files && beauty.files.length) {
body += `**Changed files entropy:**\n\`\`\`\n${beauty.files.join('\n')}\n\`\`\`\n\n`;
}
if (findings.length > 0) {
body += `⚠️ **TruffleHog found ${findings.length} potential issue(s)**\n`;
} else {
body += `✅ No secrets or suspicious high-entropy strings found.\n`;
}
body += `\n*Mid-4 beauty heuristic in action — powered by our entropy chats! 😊*`;
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: body
});
# ── Create issue on push ONLY if suspicious (entropy outside 4.3–4.7) ──
- name: Create issue on suspicious push
if: github.event_name == 'push' || github.event_name == 'release'
uses: actions/github-script@v8
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const fs = require('fs');
const beauty = JSON.parse(fs.readFileSync('/tmp/beauty.json', 'utf8'));
// Only create issue if it's NOT beautiful mid-4
if (beauty.average_entropy >= 4.3 && beauty.average_entropy <= 4.7) {
console.log("✅ Mid-4 beauty — no issue created");
return;
}
let findings = [];
if (fs.existsSync('trufflehog.json')) {
try {
const lines = fs.readFileSync('trufflehog.json', 'utf8').trim().split('\n');
findings = lines.map(line => {
try { return JSON.parse(line); } catch(e) { return null; }
}).filter(Boolean);
} catch(e) {}
}
let body = `**Average entropy:** ${beauty.average_entropy} bits/char\n\n`;
body += `**Verdict:** ${beauty.verdict}\n\n`;
if (beauty.files && beauty.files.length) {
body += `**Changed files:**\n\`\`\`\n${beauty.files.join('\n')}\n\`\`\`\n\n`;
}
if (findings.length > 0) {
body += `**TruffleHog found ${findings.length} potential issue(s)**\n`;
} else {
body += `✅ No secrets or suspicious high-entropy strings found.\n`;
}
body += `\n*Triggered by push to \`${context.sha}\` — mid-4 beauty heuristic*`;
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: `🚨 Suspicious entropy detected in recent push (${beauty.average_entropy})`,
body: body,
labels: ['entropy', 'security', 'review-needed']
});
console.log("⚠️ Created issue because entropy was outside mid-4 range");