fix: onboard new trufflehog action (#280)

mkolasinski-splunk · web-flow · commit 954302281601 · 2024-05-29T10:45:29.000+02:00
This PR updates version of Trufflehog action - secrets scanning tool. edplato/trufflehog-actions-scan@v0.9l-beta is an quite old action (last update Dec 9, 2021) basaed on Trufflehog CLI version 2.2.1 (code missing on github for releases older than v3) New action is officially Trufflehog supported [action](https://github.com/trufflesecurity/trufflehog?tab=readme-ov-file#octocat-trufflehog-github-action) Arguments removed: --max-dept - trufflehog scan with default settings shall fulfill our needs ([reference](https://github.com/marketplace/actions/trufflehog-oss#octocat-trufflehog-github-action)) --allow - all related files (trufflehog-false-positive.json) in github are empty. If need comes for marking false positives, then inline comment `trufflehog:ignore` can be used Tests negative: https://github.com/splunk/splunk-add-on-for-servicenow/actions/runs/9280369321/job/25540435238 https://github.com/splunk/splunk-add-on-for-amazon-web-services/actions/runs/9268640851/job/25540437971 Test positive: https://github.com/splunk/test-addonfactory-repo/actions/runs/9281576021/job/25540353760 Test negative with added file to excluded: https://github.com/splunk/test-addonfactory-repo/actions/runs/9282480287/job/25540598592
diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml
@@ -264,11 +264,12 @@ jobs:
           submodules: false
           fetch-depth: "0"
           ref: ${{ github.head_ref }}
-      - name: Trufflehog Actions Scan
-        uses: edplato/trufflehog-actions-scan@v0.9l-beta
+      - name: Secret Scanning Trufflehog
+        uses: trufflesecurity/trufflehog@v3.77.0
         with:
-          scanArguments: "--max_dept 5 -x .github/workflows/exclude-patterns.txt --allow .github/workflows/trufflehog-false-positive.json"
-
+          extra_args: -x .github/workflows/exclude-patterns.txt --json
+          version: 3.77.0
+          
   semgrep:
     runs-on: ubuntu-latest
     name: security-sast-semgrep
diff --git a/README.md b/README.md
@@ -162,36 +162,31 @@ security-detect-secrets
 
 **Description:**
 
-- This action is intended as a Continuous Integration secret scan in an already "clean" repository. The default commit scan depth is the last 50 commits and can be adjusted using Custom Arguments 
+- This action is intended as a Continuous Integration secret scan in an already "clean" repository.
 
-- The stage checks for addition/deletion of any secret/sensitive data in last 50 commits of the repository.
+- The stage checks for addition/deletion of any secret/sensitive data in referenced commits (commits pushed or commits within PR).
 
-**Action used** https://github.com/edplato/trufflehog-actions-scan
+**Action used** https://github.com/trufflesecurity/trufflehog
 
 **Pass/fail behaviour**
 
-- The stage is likely to fail if there is some sensitive or secrets or confidential data had been removed or added in the last 50 commits.
+- The stage is likely to fail if any sensitive secrets or confidential data were removed or added in the referenced commits.
 
 **Troubleshooting steps for failures if any**
 
 - User would need to update the commit history where the sensitive information is detected.
 
 **Exception File**
 
-- To ignore the file add the path of the file having the false positive in the `.github/workflows/exclude-patterns.txt`, ideally this should be avoided and only specific false positives should be added in exception files.
+- To ignore the file add the path of the file having the false positive in the `.github/workflows/exclude-patterns.txt`, ideally this should be avoided and only specific false positives should be added in exception files. This is file with newline separated regexes for files to exclude in scan.
 
 - False positives include: public keys, random / dummy session keys or tokens.
 
-- We can use this file `.github/workflows/trufflehog-false-positive.json` from action version `>=v0.9l-beta` to add specific failures or regexes. 
-
-- ref for how to add regex to json file : https://github.com/edplato/trufflehog-actions-scan#usage
-
-- **NOTE:** The usage of `.github/workflows/trufflehog-false-positive.json` is not rolled out yet, PR for feature support: https://github.com/splunk/addonfactory-workflow-addon-release/pull/32
-
+- User can add a `trufflehog:ignore` comment on the line containing the secret to ignore that secrets.
 
 **Artifacts:**
 
-- No additional artifacts, the commit info is available in the logs.
+- No additional artifacts, the commit info and secrets details are available in the logs.
 
 
 security-sast-semgrep
diff --git a/renovate.json b/renovate.json
@@ -5,8 +5,5 @@
       ":semanticCommitTypeAll(chore)",
       "schedule:earlyMondays",
       ":disableDependencyDashboard"
-    ],
-    "ignoreDeps": [
-      "edplato/trufflehog-actions-scan"
     ]
-}
+}
