Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Trufflehog new #537

Merged
merged 8 commits into from
Oct 14, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions .github/workflows/trufflehog-scan.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: TruffleHog Scan

on:
push:
branches:
- trufflehog-new
- main
- dev
pull_request:
branches:
- main
- dev

jobs:
trufflehog-scan:
runs-on: ubuntu-22.04
services:
docker:
image: docker:19.03.12
options: --privileged
steps:
- name: Checkout repository
uses: actions/checkout@v3

- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.10'

- name: Set up Docker
run: |
sudo apt-get update
sudo apt-get install -y docker-ce docker-ce-cli containerd.io

- name: TruffleHog scan
run: |
echo "Starting TruffleHog scan..."
docker run -v "$PWD:/pwd" -v $GITHUB_WORKSPACE:/privado ghcr.io/trufflesecurity/trufflehog:latest filesystem --directory /privado --exclude_paths /privado/trufflehog/exclude-patterns.txt > trufflehog_output.text
python3 $GITHUB_WORKSPACE/trufflehog/trufflehog-exception.py
echo "TruffleHog scan completed."
cat trufflehog_filtered_output.text
if grep -qE 'Found (unverified|verified) result' trufflehog_filtered_output.text; then
echo "TruffleHog found sensitive information. Failing the pipeline."
exit 1
else
echo "No sensitive information found."
fi
4 changes: 3 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -248,4 +248,6 @@ privado
notes.md

#Directory created by IDE
workspace
workspace

trufflehog_filtered_output.text
6 changes: 6 additions & 0 deletions trufflehog/exclude-patterns.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
^/privado/trufflehog_output.text
^/privadot/rufflehog/exclude-patterns.txt
^/privado/.git
^/privado/trufflehog/truffleHogAllowRules.json
^/privado/trufflehog_filtered_output.text
^/privado/rules/
2 changes: 2 additions & 0 deletions trufflehog/truffleHogAllowRules.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
[
]
41 changes: 41 additions & 0 deletions trufflehog/trufflehog-exception.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
import json

# Load patterns from the JSON file
with open("./trufflehog/truffleHogAllowRules.json", "r") as f:
patterns_list = json.load(f)

# Compile the patterns into regex objects
patterns = [re.compile(pattern) for pattern in patterns_list]

# Function to determine if a block should be excluded
def should_exclude(block):
for pattern in patterns:
if any(pattern.search(line) for line in block):
return True
return False

# Read the input file
with open("trufflehog_output.text", "r") as f:
lines = f.readlines()

# Process the file and remove matching blocks
output_lines = []
current_block = []

for line in lines:
if line.startswith("Found unverified result"):
if current_block and not should_exclude(current_block):
output_lines.extend(current_block)
current_block = [line]
else:
current_block.append(line)

# Append the last block if it doesn't match the patterns
if current_block and not should_exclude(current_block):
output_lines.extend(current_block)

# Write the filtered output to a new file
with open("trufflehog_filtered_output.text", "w") as f:
f.writelines(output_lines)

print("Filtered output saved to trufflehog_filtered_output.text")
Loading