From 3abaa40f1602e1188ad449b08c064fe6fa9caff9 Mon Sep 17 00:00:00 2001 From: Rohan Krishnamurthy Date: Thu, 27 Jun 2024 14:08:23 +0200 Subject: [PATCH 1/8] docs: Update trg-8-04.md --- docs/release/trg-8/trg-8-03.md | 66 +++++++++++++++++++++++++++++----- 1 file changed, 58 insertions(+), 8 deletions(-) diff --git a/docs/release/trg-8/trg-8-03.md b/docs/release/trg-8/trg-8-03.md index d7179ef2dd1..091519ea8a9 100644 --- a/docs/release/trg-8/trg-8-03.md +++ b/docs/release/trg-8/trg-8-03.md @@ -1,26 +1,76 @@ --- -title: TRG 8.03 - GitGuardian +title: TRG 8.03 - TruffleHog --- | Status | Created | Post-History | |--------|-------------|-----------------| +| Update | 27-Jun-2024 | Switching to TruffleHog due to GitGuardian licence expiration| | Active | 26-Mar-2024 | Initial release | | Draft | 04-Mar-2024 | Draft release | ## Why -GitGuardian excels at detecting and preventing leaks of sensitive data in your code repositories, such as API keys, passwords, and other secrets. This can help you avoid security breaches and comply with data privacy regulations. +TruffleHog is an open source tool designed to identify sensitive information, such as API keys, passwords, and other credentials, that may have been inadvertently committed to your code repository. This tool is expected to be used in parallel to the native GitHub Secret Scanning tool. ## Description -GitGuardian is integrated via its GitHub App, enabling automated secret scanning of our repositories. Each pull request undergoes a scan. If a potential secret is detected, the commit's author receives an immediate email notification. +Detecting and removing these secrets is crucial for maintaining the security of your application and infrastructure. TruffleHog performs a thorough search by checking the entire repository history, not just the latest commits. This means it can find secrets that were committed in the past and might still pose a security risk. -If a secret is suspected, the pull request will be locked. Immediate action is required regarding the potential secret due to the high risk associated with exposing secrets. +Configure your GitHub Actions to include: -:::caution +- `workflow dispatch`: Manual workflow execution. +- `schedule`: Schedule the workflow to run at least once a week with 0 0 * * 0. +- `push` and `pull_request`: Activate the workflow on both push and pull request events targeting the branch that contains the code for the currently supported version, which may not necessarily be the main branch. This is the branch from which new releases will be made. -Address all findings. +Note: extra_args: --filter-entropy=4 --results=verified,unknown -::: +Including extra_args: --filter-entropy=4 --results=verified,unknown in the GitHub Actions workflow ensures that TruffleHog focuses on detecting high-entropy strings, which are more likely to be sensitive information such as passwords or API keys. This setup also instructs TruffleHog to report both verified secrets and potential but unverified secrets, providing a comprehensive security scan that helps identify and address all possible vulnerabilities in the code. -The email contains a _temporary **link**_, allowing the author to either **report** the detected secret or **mark it as a false positive**, streamlining the review process for software engineers. +Including run: exit 1 in a step of a GitHub Actions workflow, as demonstrated below, commands the workflow to halt execution. This ensures that should TruffleHog uncover any secrets during its scan, the workflow promptly terminates in failure. + +GitHub Actions allows you to define workflows to automatically run TruffleHog scans on your code. You'll see the output that triggered the failure directly in the logs. + + +Here’s how you can set it up: + +```yml +name: "TruffleHog" + +on: + push: + branches: [ main ] + pull_request: + + workflow_dispatch: + +permissions: + actions: read + contents: read + security-events: write + id-token: write + issues: write + +jobs: + ScanSecrets: + name: Scan secrets + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v3 + with: + fetch-depth: 0 # Ensure full clone for pull request workflows + ref: ${{ github.head_ref }} # Fetch specific branch/commit for pull requests + + - name: TruffleHog OSS + id: trufflehog + uses: trufflesecurity/trufflehog@main + continue-on-error: true + with: + path: ./ # Scan the entire repository + base: "${{ github.event.repository.default_branch }}" # Set base branch for comparison (pull requests) + extra_args: --filter-entropy=4 --results=verified,unknown --debug + + - name: Scan Results Status + if: steps.trufflehog.outcome == 'failure' + run: exit 1 # Set workflow run to failure if TruffleHog finds secrets +``` From 570001de805d0dbe59202ff2fa89c1fba6d9d29a Mon Sep 17 00:00:00 2001 From: Rohan Krishnamurthy Date: Thu, 27 Jun 2024 14:19:59 +0200 Subject: [PATCH 2/8] Update trg-8-03.md --- docs/release/trg-8/trg-8-03.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-03.md b/docs/release/trg-8/trg-8-03.md index 091519ea8a9..aed7e44dcc9 100644 --- a/docs/release/trg-8/trg-8-03.md +++ b/docs/release/trg-8/trg-8-03.md @@ -30,7 +30,6 @@ Including run: exit 1 in a step of a GitHub Actions workflow, as demonstrated be GitHub Actions allows you to define workflows to automatically run TruffleHog scans on your code. You'll see the output that triggered the failure directly in the logs. - Here’s how you can set it up: ```yml From 39dc802d4d59adf256570e1106f78b0881d1f76a Mon Sep 17 00:00:00 2001 From: Rohan Krishnamurthy Date: Thu, 27 Jun 2024 14:24:10 +0200 Subject: [PATCH 3/8] Update trg-8-03.md --- docs/release/trg-8/trg-8-03.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/release/trg-8/trg-8-03.md b/docs/release/trg-8/trg-8-03.md index aed7e44dcc9..e3319d3638c 100644 --- a/docs/release/trg-8/trg-8-03.md +++ b/docs/release/trg-8/trg-8-03.md @@ -19,14 +19,14 @@ Detecting and removing these secrets is crucial for maintaining the security of Configure your GitHub Actions to include: - `workflow dispatch`: Manual workflow execution. -- `schedule`: Schedule the workflow to run at least once a week with 0 0 * * 0. +- `schedule`: Schedule the workflow to run at least once a week with `0 0 * * 0`. - `push` and `pull_request`: Activate the workflow on both push and pull request events targeting the branch that contains the code for the currently supported version, which may not necessarily be the main branch. This is the branch from which new releases will be made. -Note: extra_args: --filter-entropy=4 --results=verified,unknown +Note: `extra_args: --filter-entropy=4 --results=verified,unknown` -Including extra_args: --filter-entropy=4 --results=verified,unknown in the GitHub Actions workflow ensures that TruffleHog focuses on detecting high-entropy strings, which are more likely to be sensitive information such as passwords or API keys. This setup also instructs TruffleHog to report both verified secrets and potential but unverified secrets, providing a comprehensive security scan that helps identify and address all possible vulnerabilities in the code. +Including `extra_args: --filter-entropy=4 --results=verified,unknown` in the GitHub Actions workflow ensures that TruffleHog focuses on detecting high-entropy strings, which are more likely to be sensitive information such as passwords or API keys. This setup also instructs TruffleHog to report both verified secrets and potential but unverified secrets, providing a comprehensive security scan that helps identify and address all possible vulnerabilities in the code. -Including run: exit 1 in a step of a GitHub Actions workflow, as demonstrated below, commands the workflow to halt execution. This ensures that should TruffleHog uncover any secrets during its scan, the workflow promptly terminates in failure. +Including `run: exit 1` in a step of a GitHub Actions workflow, as demonstrated below, commands the workflow to halt execution. This ensures that should TruffleHog uncover any secrets during its scan, the workflow promptly terminates in failure. GitHub Actions allows you to define workflows to automatically run TruffleHog scans on your code. You'll see the output that triggered the failure directly in the logs. From 9db59d1af5de8634f0f9ea0a72538010165758f7 Mon Sep 17 00:00:00 2001 From: Rohan Krishnamurthy Date: Mon, 1 Jul 2024 15:06:50 +0200 Subject: [PATCH 4/8] Update trg-8-03.md --- docs/release/trg-8/trg-8-03.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/release/trg-8/trg-8-03.md b/docs/release/trg-8/trg-8-03.md index e3319d3638c..d0aea2c5feb 100644 --- a/docs/release/trg-8/trg-8-03.md +++ b/docs/release/trg-8/trg-8-03.md @@ -41,6 +41,8 @@ on: pull_request: workflow_dispatch: + schedule: + - cron: "0 0 * * *" # Once a day permissions: actions: read From 21bc7fdc579bb58987771f32230ee2dc91048870 Mon Sep 17 00:00:00 2001 From: Rohan Krishnamurthy Date: Fri, 23 Aug 2024 14:35:51 +0200 Subject: [PATCH 5/8] Update docs/release/trg-8/trg-8-03.md Co-authored-by: Tom Meyer --- docs/release/trg-8/trg-8-03.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/release/trg-8/trg-8-03.md b/docs/release/trg-8/trg-8-03.md index d0aea2c5feb..8a3c711d015 100644 --- a/docs/release/trg-8/trg-8-03.md +++ b/docs/release/trg-8/trg-8-03.md @@ -2,11 +2,11 @@ title: TRG 8.03 - TruffleHog --- -| Status | Created | Post-History | -|--------|-------------|-----------------| -| Update | 27-Jun-2024 | Switching to TruffleHog due to GitGuardian licence expiration| -| Active | 26-Mar-2024 | Initial release | -| Draft | 04-Mar-2024 | Draft release | +| Status | Created | Post-History | +|--------|-------------|---------------------------------------------------------------| +| Update | 27-Jun-2024 | Switching to TruffleHog due to GitGuardian licence expiration | +| Active | 26-Mar-2024 | Initial release | +| Draft | 04-Mar-2024 | Draft release | ## Why From a47c1f7404e8a09516cfb8df0c91dc35717c7881 Mon Sep 17 00:00:00 2001 From: Rohan Krishnamurthy Date: Fri, 23 Aug 2024 14:35:59 +0200 Subject: [PATCH 6/8] Update docs/release/trg-8/trg-8-03.md Co-authored-by: ndr_brt --- docs/release/trg-8/trg-8-03.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-03.md b/docs/release/trg-8/trg-8-03.md index 8a3c711d015..f8480584dc3 100644 --- a/docs/release/trg-8/trg-8-03.md +++ b/docs/release/trg-8/trg-8-03.md @@ -57,7 +57,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 # Ensure full clone for pull request workflows ref: ${{ github.head_ref }} # Fetch specific branch/commit for pull requests From 6037477c5877ae4aee19efac9da5695b1ceb13f6 Mon Sep 17 00:00:00 2001 From: Rohan Krishnamurthy Date: Fri, 23 Aug 2024 14:43:01 +0200 Subject: [PATCH 7/8] Update trg-8-03.md --- docs/release/trg-8/trg-8-03.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/release/trg-8/trg-8-03.md b/docs/release/trg-8/trg-8-03.md index f8480584dc3..7732b82e00d 100644 --- a/docs/release/trg-8/trg-8-03.md +++ b/docs/release/trg-8/trg-8-03.md @@ -37,12 +37,13 @@ name: "TruffleHog" on: push: - branches: [ main ] + branches: ["main"] pull_request: - - workflow_dispatch: + # The branches below must be a subset of the branches above + branches: ["main"] schedule: - cron: "0 0 * * *" # Once a day + workflow_dispatch: permissions: actions: read From cb15377618dfd676feb539e29f43588245e6f323 Mon Sep 17 00:00:00 2001 From: Rohan Krishnamurthy Date: Fri, 23 Aug 2024 14:57:52 +0200 Subject: [PATCH 8/8] Update trg-8-03.md --- docs/release/trg-8/trg-8-03.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-03.md b/docs/release/trg-8/trg-8-03.md index 7732b82e00d..cbba14fd480 100644 --- a/docs/release/trg-8/trg-8-03.md +++ b/docs/release/trg-8/trg-8-03.md @@ -61,7 +61,6 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 # Ensure full clone for pull request workflows - ref: ${{ github.head_ref }} # Fetch specific branch/commit for pull requests - name: TruffleHog OSS id: trufflehog