Add trufflehog secret scanner (#2808)

* Fix grype issue * Trufflehog * Truffle infos * [automation] Auto-update linters version, help and documentation * Install trufflehog with docker image * cspell * Downgrade grype * mega-liter-runner ml config * SARIF not available for truffleehog * fix test cases * [MegaLinter] Apply linters fixes * cspell * cli lint mode = project * [MegaLinter] Apply linters fixes * Trufflehog arguments * cli help arg name * trufflehog test case * trufflehog args * build --------- Co-authored-by: nvuillam <nicolas.vuillamy@ox.security> Co-authored-by: nvuillam <nvuillam@users.noreply.github.com>
oxsecurity · Jul 15, 2023 · d491b4e · d491b4e
1 parent f84e76f
commit d491b4e
Show file tree

Hide file tree

Showing 45 changed files with 430 additions and 0 deletions.
diff --git a/.automation/generated/linter-links-previews.json b/.automation/generated/linter-links-previews.json
@@ -549,6 +549,11 @@
     "image": null,
     "title": "Redirecting"
   },
+  "trufflehog": {
+    "description": "Find and verify credentials. Contribute to trufflesecurity/trufflehog development by creating an account on GitHub.",
+    "image": "https://opengraph.githubassets.com/55d7b011372ebd97a601f51e0a882c04765952ec8a9de7f814746cc71a64face/trufflesecurity/trufflehog",
+    "title": "GitHub - trufflesecurity/trufflehog: Find and verify credentials"
+  },
   "ts-standard": {
     "description": "English \u2022 Espan\u0303ol (Latinoame\u0301rica) \u2022 Franc\u0327ais \u2022 Bahasa Indonesia \u2022 Italiano (Italian) \u2022 \u65e5\u672c\u8a9e (Japanese) \u2022 \u1112\u1161\u11ab\u1100\u116e\u11a8\u110b\u1165 (Korean) \u2022 Portugue\u0302s (Brasil) \u2022 \u7b80\u4f53\u4e2d\u6587 (Simplified Chinese) \u2022 \u7e41\u9ad4\u4e2d\u6587 (Taiwanese Mandarin).",
     "image": null,

diff --git a/.automation/test/gitleaks/bad/keys b/.automation/test/gitleaks/bad/keys
@@ -0,0 +1,44 @@
+Basic auth:
+
+https://admin:admin@the-internet.herokuapp.com/basic_auth
+
+Private key:
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAjNIZuun
+xgLkM8KuzfmQuRAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQDe3Al0EMPz
+utVNk5DixaYrGMK56RqUoqGBinke6SWVWmqom1lBcJWzor6HlnMRPPr7YCEsJKL4IpuVwu
+inRa5kdtNTyM7yyQTSR2xXCS0fUItNuq8pUktsH8VUggpMeew8hJv7rFA7tnIg3UXCl6iF
+OLZKbDA5aa24idpcD8b1I9/RzTOB1fu0of5xd9vgODzGw5JvHQSJ0FaA42aNBMGwrDhDB3
+sgnRNdWf6NNIh8KpXXMKJADf3klsyn6He8L2bPMp8a4wwys2YB35p5zQ0JURovsdewlOxH
+NT7eP19eVf4dCreibxUmRUaob5DEoHEk8WrxjKWIYUuLeD6AfcW6oXyRU2Yy8Vrt6SqFl5
+WAi47VMFTkDZYS/eCvG53q9UBHpCj7Qvb0vSkCZXBvBIhlw193F3PX4WvO1IXsMwvQ1D1X
+lmomsItbqM0cJyKw6LU18QWiBHvE7BqcphaoL5E08W2ATTSRIMCp6rt4rptM7KyGK8rc6W
+UYrCnWt6KlCA8AAAWQXk+lVx6bH5itIKKYmQr6cR/5xtZ2GHAxnYtvlW3xnGhU0MHv+lJ2
+uoWlT2RXE5pdMUQj7rNWAMqkwifSKZs9wBfYeo1TaFDmC3nW7yHSN3XTuO78mPIW5JyvmE
+Rj5qjsUn7fNmzECoAxnVERhwnF3KqUBEPzIAc6/7v/na9NTiiGaJPco9lvCoPWbVLN08WG
+SuyU+0x5zc3ebzuPcYqu5/c5nmiGxhALrIhjIS0OV1mtAAFhvdMjMIHOijOzSKVCC7rRk5
+kG9EMLNvOn/DUVSRHamw5gs2V3V+Zq2g5nYWfgq8aDSTB8XlIzOj1cz3HwfN6pfSNQ/3Qe
+wOQfWfTWdO+JSL8aoBN5Wg8tDbgmvmbFrINsJfFfSm0wZgcHhC7Ul4U3v4c8PoNdK9HXwi
+TKKzJ9nxLYb+vDh50cnkseu2gt0KwVpjIorxEqeK755mKPao3JmOMr6uFTQsb+g+ZNgPwl
+nRHA4Igx+zADFj3twldnKIiRpBQ5J4acur3uQ+saanBTXgul1TiFiUGT2cnz+IiCsdPovg
+TAMt868W5LmzpfH4Cy54JtaRC4/UuMnkTGbWgutVDnWj2stOAzsQ1YmhH5igUmc94mUL+W
+8vQDCKpeI8n+quDS9zxTvy4L4H5Iz7OZlh0h6N13BDvCYXKcNF/ugkfxZbu8mZsZQQzXNR
+wOrEtKoHc4AnXYNzsuHEoEyLyJxGfFRDSTLbyN9wFOS/c0k9Gjte+kQRZjBVGORE5sN6X3
+akUnTF76RhbEc+LamrwM1h5340bwosRbR8I+UrsQdFfJBEj1ZSyMRJlMkFUNi6blt7bhyx
+ea+Pm2A614nlYUBjw2KKzzn8N/0H2NpJjIptvDsbrx3BS/rKwOeJwavRrGnIlEzuAag4vx
+Zb2TPVta45uz7fQP5IBl83b0BJKI5Zv/fniUeLI78W/UsZqb64YQbfRyBzFtI1T/SsCi0B
+e0EyKMzbxtSceT1Mb8eJiVIq04Xpwez9fIUt5rSedZD8KPq8P6s0cGsR7Qmw6eXZ/dBR/a
+s5vPhfIUmQawmnwAVuWNRdQQ79jUBSn5M+ZRVVTgEG+vFyvxr/bZqOo1JCoq5BmQhLWGRJ
+Dk9TolbeFIVFrkuXkcu99a079ux7XSkON64oPzHrcsEzjPA1GPqs9CGBSO16wq/nI3zg+E
+kcOCaurc9yHJJPwduem0+8WLX3WoGNfQRKurtQze2ppy8KarEtDhDd96sKkhYaqOg3GOX8
+Yx827L4vuWSJSIqKuO2kH6kOCMUNO16piv0z/8u3CJxOGh9+4FZIop81fiFTKLhV3/gwLm
+fzFY++KIZrLfZcUjzd80NNEja69F452Eb9HrI5BurN/PznDEi9bzM598Y7beyl4/kd4R2e
+S7SW9/LOrGw5UgxtiU+kV8nPz1PdgxO4sRlnntSBEwkQBzMkLOpq2h2BuJ2TlMP/TWuwLQ
+sDkv1Yk1pD0roGmtMzbujnURGxqRJ8gUmuIot4hpfyRSssvnRQQZ3lQCQCwHiE+HJxXWf5
+c58zOMjW7o21tI8e13uUnbRoQVJM9XYqk1usPXIkYPYL9uOw3AW/Zn+cnDrsXvTK9ZxgGD
+/90b1BNwVqMlUK+QggHNwl5qD8eoXK5cDvav66te+E+V7FYFQ06w3tytRVz8SjoaiChN02
+muIjvl6G7Hoj1hObM2t/ZheN1EShS11z868hhS6Mx7GvIdtkXuvdiBYMiBLOshJQxB8Mzx
+iug9W+Di3upLf0UMC1TqADGphsIHRU7RbmHQ8Rwp7dogswmDfpRSapPt9p0D+6Ad5VBzi3
+f3BPXj76UBLMEJCrZR1P28vnAA7AyNHaLvMPlWDMG5v3V/UV+ugyFcoBAOyjiQgYST8F3e
+Hx7UPVlTK8dyvk1Z+Yw0nrfNClI=
+-----END OPENSSH PRIVATE KEY-----
diff --git a/.cspell.json b/.cspell.json
@@ -433,6 +433,7 @@
         "TFLINT",
         "THIRDPARTY",
         "TIBANNA",
+        "TRUFFLEHOG",
         "TSQL",
         "TSQLLINT",
         "TYPECHECK",
@@ -1370,6 +1371,8 @@
         "trimstart",
         "trivyignore",
         "trollface",
+        "trufflehog",
+        "trufflesecurity",
         "tsql",
         "tsqllint",
         "tsqllintrc",

diff --git a/.github/workflows/deploy-BETA-linters.yml b/.github/workflows/deploy-BETA-linters.yml
@@ -156,6 +156,7 @@ jobs:
             "repository_syft",
             "repository_trivy",
             "repository_trivy_sbom",
+            "repository_trufflehog",
             "rst_rst_lint",
             "rst_rstcheck",
             "rst_rstfmt",

diff --git a/.github/workflows/deploy-DEV-linters.yml b/.github/workflows/deploy-DEV-linters.yml
@@ -145,6 +145,7 @@ jobs:
             "repository_syft",
             "repository_trivy",
             "repository_trivy_sbom",
+            "repository_trufflehog",
             "rst_rst_lint",
             "rst_rstcheck",
             "rst_rstfmt",

diff --git a/.github/workflows/deploy-RELEASE-linters.yml b/.github/workflows/deploy-RELEASE-linters.yml
@@ -132,6 +132,7 @@ jobs:
             "repository_syft",
             "repository_trivy",
             "repository_trivy_sbom",
+            "repository_trufflehog",
             "rst_rst_lint",
             "rst_rstcheck",
             "rst_rstfmt",

diff --git a/Dockerfile b/Dockerfile
@@ -36,6 +36,7 @@ RUN GOBIN=/usr/bin go install github.com/checkmarx/dustilock@v1.2.0
 
 FROM zricethezav/gitleaks:v8.17.0 as gitleaks
 FROM checkmarx/kics:alpine as kics
+FROM trufflesecurity/trufflehog:latest as trufflehog
 FROM jdkato/vale:latest as vale
 FROM lycheeverse/lychee:latest-alpine as lychee
 FROM ghcr.io/terraform-linters/tflint:v0.47.0 as tflint
@@ -327,6 +328,7 @@ COPY --link --from=dustilock /usr/bin/dustilock /usr/bin/dustilock
 COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/
 COPY --link --from=kics /app/bin/kics /usr/bin/
 COPY --from=kics /app/bin/assets /opt/kics/assets/
+COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/
 COPY --link --from=vale /bin/vale /bin/vale
 COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/
 COPY --link --from=tflint /usr/local/bin/tflint /usr/bin/
@@ -705,6 +707,9 @@ RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh |
 # Next line commented because already managed by another linter
 # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
 
+# trufflehog installation
+# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/
+
 # sfdx-scanner-apex installation
     && sfdx plugins:install @salesforce/sfdx-scanner \
     && npm cache clean --force || true \

diff --git a/docs/standalone-linters.md b/docs/standalone-linters.md
@@ -85,6 +85,7 @@
 | REPOSITORY_SYFT                   | oxsecurity/megalinter-only-repository_syft:beta                   |          ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/oxsecurity/megalinter-only-repository_syft/beta)          |
 | REPOSITORY_TRIVY                  | oxsecurity/megalinter-only-repository_trivy:beta                  |         ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/oxsecurity/megalinter-only-repository_trivy/beta)          |
 | REPOSITORY_TRIVY_SBOM             | oxsecurity/megalinter-only-repository_trivy_sbom:beta             |       ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/oxsecurity/megalinter-only-repository_trivy_sbom/beta)       |
+| REPOSITORY_TRUFFLEHOG             | oxsecurity/megalinter-only-repository_trufflehog:beta             |       ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/oxsecurity/megalinter-only-repository_trufflehog/beta)       |
 | RST_RST_LINT                      | oxsecurity/megalinter-only-rst_rst_lint:beta                      |           ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/oxsecurity/megalinter-only-rst_rst_lint/beta)            |
 | RST_RSTCHECK                      | oxsecurity/megalinter-only-rst_rstcheck:beta                      |           ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/oxsecurity/megalinter-only-rst_rstcheck/beta)            |
 | RST_RSTFMT                        | oxsecurity/megalinter-only-rst_rstfmt:beta                        |            ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/oxsecurity/megalinter-only-rst_rstfmt/beta)             |

diff --git a/flavors/ci_light/Dockerfile b/flavors/ci_light/Dockerfile
@@ -17,6 +17,7 @@ FROM mvdan/shfmt:latest-alpine as shfmt
 FROM hadolint/hadolint:v2.12.0-alpine as hadolint
 FROM mrtazz/checkmake:latest as checkmake
 FROM zricethezav/gitleaks:v8.17.0 as gitleaks
+FROM trufflesecurity/trufflehog:latest as trufflehog
 #FROM__END
 
 ##################
@@ -170,6 +171,7 @@ COPY --link --from=shfmt /bin/shfmt /usr/bin/
 COPY --link --from=hadolint /bin/hadolint /usr/bin/hadolint
 COPY --link --from=checkmake /checkmake /usr/bin/checkmake
 COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/
+COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/
 #COPY__END
 
 #############################################################################################
@@ -205,6 +207,9 @@ RUN wget -q -O - https://raw.githubusercontent.com/dotenv-linter/dotenv-linter/m
 # Next line commented because already managed by another linter
 # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
 
+# trufflehog installation
+# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/
+
 #OTHER__END
 
 ################################

diff --git a/flavors/ci_light/flavor.json b/flavors/ci_light/flavor.json
@@ -21,6 +21,7 @@
         "REPOSITORY_SECRETLINT",
         "REPOSITORY_TRIVY",
         "REPOSITORY_TRIVY_SBOM",
+        "REPOSITORY_TRUFFLEHOG",
         "XML_XMLLINT",
         "YAML_PRETTIER",
         "YAML_YAMLLINT",

diff --git a/flavors/cupcake/Dockerfile b/flavors/cupcake/Dockerfile
@@ -32,6 +32,7 @@ FROM mrtazz/checkmake:latest as checkmake
 FROM ghcr.io/phpstan/phpstan:latest-php8.1 as phpstan
 FROM zricethezav/gitleaks:v8.17.0 as gitleaks
 FROM checkmarx/kics:alpine as kics
+FROM trufflesecurity/trufflehog:latest as trufflehog
 FROM lycheeverse/lychee:latest-alpine as lychee
 FROM ghcr.io/terraform-linters/tflint:v0.47.0 as tflint
 FROM tenable/terrascan:1.18.1 as terrascan
@@ -284,6 +285,7 @@ COPY --link --from=phpstan /composer/vendor/phpstan/phpstan/phpstan.phar /usr/bi
 COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/
 COPY --link --from=kics /app/bin/kics /usr/bin/
 COPY --from=kics /app/bin/assets /opt/kics/assets/
+COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/
 COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/
 COPY --link --from=tflint /usr/local/bin/tflint /usr/bin/
 COPY --link --from=terrascan /go/bin/terrascan /usr/bin/
@@ -477,6 +479,9 @@ RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/
 # Next line commented because already managed by another linter
 # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
 
+# trufflehog installation
+# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/
+
 # lychee installation
 # Managed with COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/
 

diff --git a/flavors/cupcake/flavor.json b/flavors/cupcake/flavor.json
@@ -70,6 +70,7 @@
         "REPOSITORY_SEMGREP",
         "REPOSITORY_TRIVY",
         "REPOSITORY_TRIVY_SBOM",
+        "REPOSITORY_TRUFFLEHOG",
         "RST_RST_LINT",
         "RST_RSTCHECK",
         "RST_RSTFMT",

diff --git a/flavors/documentation/Dockerfile b/flavors/documentation/Dockerfile
@@ -25,6 +25,7 @@ FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform
 FROM mrtazz/checkmake:latest as checkmake
 FROM yoheimuta/protolint:latest as protolint
 FROM zricethezav/gitleaks:v8.17.0 as gitleaks
+FROM trufflesecurity/trufflehog:latest as trufflehog
 FROM jdkato/vale:latest as vale
 FROM lycheeverse/lychee:latest-alpine as lychee
 #FROM__END
@@ -221,6 +222,7 @@ COPY --link --from=kubeconform /kubeconform /usr/bin/
 COPY --link --from=checkmake /checkmake /usr/bin/checkmake
 COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/
 COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/
+COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/
 COPY --link --from=vale /bin/vale /bin/vale
 COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/
 #COPY__END
@@ -286,6 +288,9 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil
 # Next line commented because already managed by another linter
 # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
 
+# trufflehog installation
+# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/
+
 # vale installation
 # Managed with COPY --link --from=vale /bin/vale /bin/vale
 

diff --git a/flavors/documentation/flavor.json b/flavors/documentation/flavor.json
@@ -42,6 +42,7 @@
         "REPOSITORY_SEMGREP",
         "REPOSITORY_TRIVY",
         "REPOSITORY_TRIVY_SBOM",
+        "REPOSITORY_TRUFFLEHOG",
         "SNAKEMAKE_LINT",
         "SNAKEMAKE_SNAKEFMT",
         "SPELL_CSPELL",

diff --git a/flavors/dotnet/Dockerfile b/flavors/dotnet/Dockerfile
@@ -25,6 +25,7 @@ FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform
 FROM mrtazz/checkmake:latest as checkmake
 FROM yoheimuta/protolint:latest as protolint
 FROM zricethezav/gitleaks:v8.17.0 as gitleaks
+FROM trufflesecurity/trufflehog:latest as trufflehog
 FROM jdkato/vale:latest as vale
 FROM lycheeverse/lychee:latest-alpine as lychee
 #FROM__END
@@ -240,6 +241,7 @@ COPY --link --from=kubeconform /kubeconform /usr/bin/
 COPY --link --from=checkmake /checkmake /usr/bin/checkmake
 COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/
 COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/
+COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/
 COPY --link --from=vale /bin/vale /bin/vale
 COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/
 #COPY__END
@@ -371,6 +373,9 @@ RUN curl --retry 5 --retry-delay 5 -sLO "${ARM_TTK_URI}" \
 # Next line commented because already managed by another linter
 # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
 
+# trufflehog installation
+# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/
+
 # vale installation
 # Managed with COPY --link --from=vale /bin/vale /bin/vale
 

diff --git a/flavors/dotnet/flavor.json b/flavors/dotnet/flavor.json
@@ -56,6 +56,7 @@
         "REPOSITORY_SEMGREP",
         "REPOSITORY_TRIVY",
         "REPOSITORY_TRIVY_SBOM",
+        "REPOSITORY_TRUFFLEHOG",
         "SNAKEMAKE_LINT",
         "SNAKEMAKE_SNAKEFMT",
         "SPELL_CSPELL",

diff --git a/flavors/dotnetweb/Dockerfile b/flavors/dotnetweb/Dockerfile
@@ -25,6 +25,7 @@ FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform
 FROM mrtazz/checkmake:latest as checkmake
 FROM yoheimuta/protolint:latest as protolint
 FROM zricethezav/gitleaks:v8.17.0 as gitleaks
+FROM trufflesecurity/trufflehog:latest as trufflehog
 FROM jdkato/vale:latest as vale
 FROM lycheeverse/lychee:latest-alpine as lychee
 #FROM__END
@@ -260,6 +261,7 @@ COPY --link --from=kubeconform /kubeconform /usr/bin/
 COPY --link --from=checkmake /checkmake /usr/bin/checkmake
 COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/
 COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/
+COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/
 COPY --link --from=vale /bin/vale /bin/vale
 COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/
 #COPY__END
@@ -391,6 +393,9 @@ RUN curl --retry 5 --retry-delay 5 -sLO "${ARM_TTK_URI}" \
 # Next line commented because already managed by another linter
 # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
 
+# trufflehog installation
+# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/
+
 # vale installation
 # Managed with COPY --link --from=vale /bin/vale /bin/vale
 

diff --git a/flavors/dotnetweb/flavor.json b/flavors/dotnetweb/flavor.json
@@ -62,6 +62,7 @@
         "REPOSITORY_SEMGREP",
         "REPOSITORY_TRIVY",
         "REPOSITORY_TRIVY_SBOM",
+        "REPOSITORY_TRUFFLEHOG",
         "SNAKEMAKE_LINT",
         "SNAKEMAKE_SNAKEFMT",
         "SPELL_CSPELL",

diff --git a/flavors/go/Dockerfile b/flavors/go/Dockerfile
@@ -31,6 +31,7 @@ FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform
 FROM mrtazz/checkmake:latest as checkmake
 FROM yoheimuta/protolint:latest as protolint
 FROM zricethezav/gitleaks:v8.17.0 as gitleaks
+FROM trufflesecurity/trufflehog:latest as trufflehog
 FROM jdkato/vale:latest as vale
 FROM lycheeverse/lychee:latest-alpine as lychee
 #FROM__END
@@ -229,6 +230,7 @@ COPY --link --from=kubeconform /kubeconform /usr/bin/
 COPY --link --from=checkmake /checkmake /usr/bin/checkmake
 COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/
 COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/
+COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/
 COPY --link --from=vale /bin/vale /bin/vale
 COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/
 #COPY__END
@@ -301,6 +303,9 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil
 # Next line commented because already managed by another linter
 # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
 
+# trufflehog installation
+# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/
+
 # vale installation
 # Managed with COPY --link --from=vale /bin/vale /bin/vale
 

diff --git a/flavors/go/flavor.json b/flavors/go/flavor.json
@@ -44,6 +44,7 @@
         "REPOSITORY_SEMGREP",
         "REPOSITORY_TRIVY",
         "REPOSITORY_TRIVY_SBOM",
+        "REPOSITORY_TRUFFLEHOG",
         "SNAKEMAKE_LINT",
         "SNAKEMAKE_SNAKEFMT",
         "SPELL_CSPELL",

diff --git a/flavors/java/Dockerfile b/flavors/java/Dockerfile
@@ -25,6 +25,7 @@ FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform
 FROM mrtazz/checkmake:latest as checkmake
 FROM yoheimuta/protolint:latest as protolint
 FROM zricethezav/gitleaks:v8.17.0 as gitleaks
+FROM trufflesecurity/trufflehog:latest as trufflehog
 FROM jdkato/vale:latest as vale
 FROM lycheeverse/lychee:latest-alpine as lychee
 #FROM__END
@@ -221,6 +222,7 @@ COPY --link --from=kubeconform /kubeconform /usr/bin/
 COPY --link --from=checkmake /checkmake /usr/bin/checkmake
 COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/
 COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/
+COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/
 COPY --link --from=vale /bin/vale /bin/vale
 COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/
 #COPY__END
@@ -362,6 +364,9 @@ RUN wget --quiet https://github.com/pmd/pmd/releases/download/pmd_releases%2F${P
 # Next line commented because already managed by another linter
 # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
 
+# trufflehog installation
+# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/
+
 # vale installation
 # Managed with COPY --link --from=vale /bin/vale /bin/vale
 

diff --git a/flavors/java/flavor.json b/flavors/java/flavor.json
@@ -48,6 +48,7 @@
         "REPOSITORY_SEMGREP",
         "REPOSITORY_TRIVY",
         "REPOSITORY_TRIVY_SBOM",
+        "REPOSITORY_TRUFFLEHOG",
         "SNAKEMAKE_LINT",
         "SNAKEMAKE_SNAKEFMT",
         "SPELL_CSPELL",

diff --git a/flavors/javascript/Dockerfile b/flavors/javascript/Dockerfile
@@ -24,6 +24,7 @@ FROM mstruebing/editorconfig-checker:2.7.0 as editorconfig-checker
 FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform
 FROM yoheimuta/protolint:latest as protolint
 FROM zricethezav/gitleaks:v8.17.0 as gitleaks
+FROM trufflesecurity/trufflehog:latest as trufflehog
 FROM jdkato/vale:latest as vale
 FROM lycheeverse/lychee:latest-alpine as lychee
 #FROM__END
@@ -241,6 +242,7 @@ COPY --link --from=editorconfig-checker /usr/bin/ec /usr/bin/editorconfig-checke
 COPY --link --from=kubeconform /kubeconform /usr/bin/
 COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/
 COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/
+COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/
 COPY --link --from=vale /bin/vale /bin/vale
 COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/
 #COPY__END
@@ -303,6 +305,9 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil
 # Next line commented because already managed by another linter
 # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
 
+# trufflehog installation
+# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/
+
 # vale installation
 # Managed with COPY --link --from=vale /bin/vale /bin/vale