Merge branch 'eclipse-tractusx:main' into release-24.12

eclipse-tractusx · Dec 4, 2024 · 13ed456 · 13ed456
2 parents 0e43a71 + 1d85e71
commit 13ed456
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 7 deletions.
diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml
@@ -53,7 +53,7 @@ jobs:
         with:
           path: ./  # Scan the entire repository
           base: "${{ github.event.repository.default_branch }}"  # Set base branch for comparison (pull requests)
-          extra_args: --filter-entropy=4 --results=verified,unknown --debug
+          extra_args: --filter-entropy=4 --results=verified,unknown --debug --only-verified
 
       - name: Scan Results Status
         if: steps.trufflehog.outcome == 'failure'

diff --git a/docs/release/trg-8/trg-8-03.md b/docs/release/trg-8/trg-8-03.md
@@ -22,17 +22,36 @@ Configure your GitHub Actions to include:
 - `schedule`: Schedule the workflow to run at least once a week with `0 0 * * 0`.
 - `push` and `pull_request`: Activate the workflow on both push and pull request events targeting the branch that contains the code for the currently supported version, which may not necessarily be the main branch. This is the branch from which new releases will be made.
 
-Note: `extra_args: --filter-entropy=4 --results=verified,unknown`
+Note: `extra_args: --filter-entropy=4 --results=verified,unknown --only-verified`
 
-Including `extra_args: --filter-entropy=4 --results=verified,unknown` in the GitHub Actions workflow ensures that TruffleHog focuses on detecting high-entropy strings, which are more likely to be sensitive information such as passwords or API keys. This setup also instructs TruffleHog to report both verified secrets and potential but unverified secrets, providing a comprehensive security scan that helps identify and address all possible vulnerabilities in the code.
+Including `extra_args: --filter-entropy=4 --results=verified,unknown --only-verified` in the GitHub Actions workflow ensures that TruffleHog focuses on detecting high-entropy strings, which are more likely to be sensitive information such as passwords or API keys. This setup also instructs TruffleHog to report both verified secrets and potential but unverified secrets, providing a comprehensive security scan that helps identify and address all possible vulnerabilities in the code. The `--only-verified` flag reduces the appearance of false positives, because only the verified secrets will appear.
 
 Including `run: exit 1` in a step of a GitHub Actions workflow, as demonstrated below, commands the workflow to halt execution. This ensures that should TruffleHog uncover any secrets during its scan, the workflow promptly terminates in failure.
 
 GitHub Actions allows you to define workflows to automatically run TruffleHog scans on your code. You'll see the output that triggered the failure directly in the logs.
 
-Here’s how you can set it up:
+To comply with this TRG, simply create a file under the path: `.github/workflows/trufflehog.yaml` with the following content:
 
 ```yml
+###############################################################
+# Copyright (c) 2024 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+###############################################################
+
 name: "TruffleHog"
 
 on:
@@ -64,13 +83,13 @@ jobs:
 
       - name: TruffleHog OSS
         id: trufflehog
-        uses: trufflesecurity/trufflehog@main
+        uses: trufflesecurity/trufflehog@7e78ca385fb82c19568c7a4b341c97d57d9aa5e1
         continue-on-error: true
         with:
           path: ./  # Scan the entire repository
           base: "${{ github.event.repository.default_branch }}"  # Set base branch for comparison (pull requests)
-          extra_args: --filter-entropy=4 --results=verified,unknown --debug
-      
+          extra_args: --filter-entropy=4 --results=verified,unknown --debug --only-verified
+
       - name: Scan Results Status
         if: steps.trufflehog.outcome == 'failure'
         run: exit 1  # Set workflow run to failure if TruffleHog finds secrets