From d491b4e1537d870c4226e79983caba007017d929 Mon Sep 17 00:00:00 2001 From: Nicolas Vuillamy Date: Sat, 15 Jul 2023 16:05:25 +0200 Subject: [PATCH] Add trufflehog secret scanner (#2808) * Fix grype issue * Trufflehog * Truffle infos * [automation] Auto-update linters version, help and documentation * Install trufflehog with docker image * cspell * Downgrade grype * mega-liter-runner ml config * SARIF not available for truffleehog * fix test cases * [MegaLinter] Apply linters fixes * cspell * cli lint mode = project * [MegaLinter] Apply linters fixes * Trufflehog arguments * cli help arg name * trufflehog test case * trufflehog args * build --------- Co-authored-by: nvuillam Co-authored-by: nvuillam --- .../generated/linter-links-previews.json | 5 + .automation/test/gitleaks/bad/keys | 44 ++++ .cspell.json | 3 + .github/workflows/deploy-BETA-linters.yml | 1 + .github/workflows/deploy-DEV-linters.yml | 1 + .github/workflows/deploy-RELEASE-linters.yml | 1 + Dockerfile | 5 + docs/standalone-linters.md | 1 + flavors/ci_light/Dockerfile | 5 + flavors/ci_light/flavor.json | 1 + flavors/cupcake/Dockerfile | 5 + flavors/cupcake/flavor.json | 1 + flavors/documentation/Dockerfile | 5 + flavors/documentation/flavor.json | 1 + flavors/dotnet/Dockerfile | 5 + flavors/dotnet/flavor.json | 1 + flavors/dotnetweb/Dockerfile | 5 + flavors/dotnetweb/flavor.json | 1 + flavors/go/Dockerfile | 5 + flavors/go/flavor.json | 1 + flavors/java/Dockerfile | 5 + flavors/java/flavor.json | 1 + flavors/javascript/Dockerfile | 5 + flavors/javascript/flavor.json | 1 + flavors/php/Dockerfile | 5 + flavors/php/flavor.json | 1 + flavors/python/Dockerfile | 5 + flavors/python/flavor.json | 1 + flavors/ruby/Dockerfile | 5 + flavors/ruby/flavor.json | 1 + flavors/rust/Dockerfile | 5 + flavors/rust/flavor.json | 1 + flavors/salesforce/Dockerfile | 5 + flavors/salesforce/flavor.json | 1 + flavors/security/Dockerfile | 5 + flavors/security/flavor.json | 1 + flavors/swift/Dockerfile | 5 + flavors/swift/flavor.json | 1 + flavors/terraform/Dockerfile | 5 + flavors/terraform/flavor.json | 1 + linters/repository_trufflehog/Dockerfile | 213 ++++++++++++++++++ megalinter/descriptors/all_flavors.json | 16 ++ .../repository.megalinter-descriptor.yml | 29 +++ .../megalinter-configuration.jsonschema.json | 1 + .../linters/repository_trufflehog_test.py | 14 ++ 45 files changed, 430 insertions(+) create mode 100644 .automation/test/gitleaks/bad/keys create mode 100644 linters/repository_trufflehog/Dockerfile create mode 100644 megalinter/tests/test_megalinter/linters/repository_trufflehog_test.py diff --git a/.automation/generated/linter-links-previews.json b/.automation/generated/linter-links-previews.json index 175c024a7b4..b10deae791b 100644 --- a/.automation/generated/linter-links-previews.json +++ b/.automation/generated/linter-links-previews.json @@ -549,6 +549,11 @@ "image": null, "title": "Redirecting" }, + "trufflehog": { + "description": "Find and verify credentials. Contribute to trufflesecurity/trufflehog development by creating an account on GitHub.", + "image": "https://opengraph.githubassets.com/55d7b011372ebd97a601f51e0a882c04765952ec8a9de7f814746cc71a64face/trufflesecurity/trufflehog", + "title": "GitHub - trufflesecurity/trufflehog: Find and verify credentials" + }, "ts-standard": { "description": "English \u2022 Espan\u0303ol (Latinoame\u0301rica) \u2022 Franc\u0327ais \u2022 Bahasa Indonesia \u2022 Italiano (Italian) \u2022 \u65e5\u672c\u8a9e (Japanese) \u2022 \u1112\u1161\u11ab\u1100\u116e\u11a8\u110b\u1165 (Korean) \u2022 Portugue\u0302s (Brasil) \u2022 \u7b80\u4f53\u4e2d\u6587 (Simplified Chinese) \u2022 \u7e41\u9ad4\u4e2d\u6587 (Taiwanese Mandarin).", "image": null, diff --git a/.automation/test/gitleaks/bad/keys b/.automation/test/gitleaks/bad/keys new file mode 100644 index 00000000000..aa504a82046 --- /dev/null +++ b/.automation/test/gitleaks/bad/keys @@ -0,0 +1,44 @@ +Basic auth: + +https://admin:admin@the-internet.herokuapp.com/basic_auth + +Private key: +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAjNIZuun +xgLkM8KuzfmQuRAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQDe3Al0EMPz +utVNk5DixaYrGMK56RqUoqGBinke6SWVWmqom1lBcJWzor6HlnMRPPr7YCEsJKL4IpuVwu +inRa5kdtNTyM7yyQTSR2xXCS0fUItNuq8pUktsH8VUggpMeew8hJv7rFA7tnIg3UXCl6iF +OLZKbDA5aa24idpcD8b1I9/RzTOB1fu0of5xd9vgODzGw5JvHQSJ0FaA42aNBMGwrDhDB3 +sgnRNdWf6NNIh8KpXXMKJADf3klsyn6He8L2bPMp8a4wwys2YB35p5zQ0JURovsdewlOxH +NT7eP19eVf4dCreibxUmRUaob5DEoHEk8WrxjKWIYUuLeD6AfcW6oXyRU2Yy8Vrt6SqFl5 +WAi47VMFTkDZYS/eCvG53q9UBHpCj7Qvb0vSkCZXBvBIhlw193F3PX4WvO1IXsMwvQ1D1X +lmomsItbqM0cJyKw6LU18QWiBHvE7BqcphaoL5E08W2ATTSRIMCp6rt4rptM7KyGK8rc6W +UYrCnWt6KlCA8AAAWQXk+lVx6bH5itIKKYmQr6cR/5xtZ2GHAxnYtvlW3xnGhU0MHv+lJ2 +uoWlT2RXE5pdMUQj7rNWAMqkwifSKZs9wBfYeo1TaFDmC3nW7yHSN3XTuO78mPIW5JyvmE +Rj5qjsUn7fNmzECoAxnVERhwnF3KqUBEPzIAc6/7v/na9NTiiGaJPco9lvCoPWbVLN08WG +SuyU+0x5zc3ebzuPcYqu5/c5nmiGxhALrIhjIS0OV1mtAAFhvdMjMIHOijOzSKVCC7rRk5 +kG9EMLNvOn/DUVSRHamw5gs2V3V+Zq2g5nYWfgq8aDSTB8XlIzOj1cz3HwfN6pfSNQ/3Qe +wOQfWfTWdO+JSL8aoBN5Wg8tDbgmvmbFrINsJfFfSm0wZgcHhC7Ul4U3v4c8PoNdK9HXwi +TKKzJ9nxLYb+vDh50cnkseu2gt0KwVpjIorxEqeK755mKPao3JmOMr6uFTQsb+g+ZNgPwl +nRHA4Igx+zADFj3twldnKIiRpBQ5J4acur3uQ+saanBTXgul1TiFiUGT2cnz+IiCsdPovg +TAMt868W5LmzpfH4Cy54JtaRC4/UuMnkTGbWgutVDnWj2stOAzsQ1YmhH5igUmc94mUL+W +8vQDCKpeI8n+quDS9zxTvy4L4H5Iz7OZlh0h6N13BDvCYXKcNF/ugkfxZbu8mZsZQQzXNR +wOrEtKoHc4AnXYNzsuHEoEyLyJxGfFRDSTLbyN9wFOS/c0k9Gjte+kQRZjBVGORE5sN6X3 +akUnTF76RhbEc+LamrwM1h5340bwosRbR8I+UrsQdFfJBEj1ZSyMRJlMkFUNi6blt7bhyx +ea+Pm2A614nlYUBjw2KKzzn8N/0H2NpJjIptvDsbrx3BS/rKwOeJwavRrGnIlEzuAag4vx +Zb2TPVta45uz7fQP5IBl83b0BJKI5Zv/fniUeLI78W/UsZqb64YQbfRyBzFtI1T/SsCi0B +e0EyKMzbxtSceT1Mb8eJiVIq04Xpwez9fIUt5rSedZD8KPq8P6s0cGsR7Qmw6eXZ/dBR/a +s5vPhfIUmQawmnwAVuWNRdQQ79jUBSn5M+ZRVVTgEG+vFyvxr/bZqOo1JCoq5BmQhLWGRJ +Dk9TolbeFIVFrkuXkcu99a079ux7XSkON64oPzHrcsEzjPA1GPqs9CGBSO16wq/nI3zg+E +kcOCaurc9yHJJPwduem0+8WLX3WoGNfQRKurtQze2ppy8KarEtDhDd96sKkhYaqOg3GOX8 +Yx827L4vuWSJSIqKuO2kH6kOCMUNO16piv0z/8u3CJxOGh9+4FZIop81fiFTKLhV3/gwLm +fzFY++KIZrLfZcUjzd80NNEja69F452Eb9HrI5BurN/PznDEi9bzM598Y7beyl4/kd4R2e +S7SW9/LOrGw5UgxtiU+kV8nPz1PdgxO4sRlnntSBEwkQBzMkLOpq2h2BuJ2TlMP/TWuwLQ +sDkv1Yk1pD0roGmtMzbujnURGxqRJ8gUmuIot4hpfyRSssvnRQQZ3lQCQCwHiE+HJxXWf5 +c58zOMjW7o21tI8e13uUnbRoQVJM9XYqk1usPXIkYPYL9uOw3AW/Zn+cnDrsXvTK9ZxgGD +/90b1BNwVqMlUK+QggHNwl5qD8eoXK5cDvav66te+E+V7FYFQ06w3tytRVz8SjoaiChN02 +muIjvl6G7Hoj1hObM2t/ZheN1EShS11z868hhS6Mx7GvIdtkXuvdiBYMiBLOshJQxB8Mzx +iug9W+Di3upLf0UMC1TqADGphsIHRU7RbmHQ8Rwp7dogswmDfpRSapPt9p0D+6Ad5VBzi3 +f3BPXj76UBLMEJCrZR1P28vnAA7AyNHaLvMPlWDMG5v3V/UV+ugyFcoBAOyjiQgYST8F3e +Hx7UPVlTK8dyvk1Z+Yw0nrfNClI= +-----END OPENSSH PRIVATE KEY----- \ No newline at end of file diff --git a/.cspell.json b/.cspell.json index 0d8ea1769e6..f4ad685636f 100644 --- a/.cspell.json +++ b/.cspell.json @@ -433,6 +433,7 @@ "TFLINT", "THIRDPARTY", "TIBANNA", + "TRUFFLEHOG", "TSQL", "TSQLLINT", "TYPECHECK", @@ -1370,6 +1371,8 @@ "trimstart", "trivyignore", "trollface", + "trufflehog", + "trufflesecurity", "tsql", "tsqllint", "tsqllintrc", diff --git a/.github/workflows/deploy-BETA-linters.yml b/.github/workflows/deploy-BETA-linters.yml index a7bfe2e2f99..6472ba760ff 100644 --- a/.github/workflows/deploy-BETA-linters.yml +++ b/.github/workflows/deploy-BETA-linters.yml @@ -156,6 +156,7 @@ jobs: "repository_syft", "repository_trivy", "repository_trivy_sbom", + "repository_trufflehog", "rst_rst_lint", "rst_rstcheck", "rst_rstfmt", diff --git a/.github/workflows/deploy-DEV-linters.yml b/.github/workflows/deploy-DEV-linters.yml index b287de25b9d..2a02a92d979 100644 --- a/.github/workflows/deploy-DEV-linters.yml +++ b/.github/workflows/deploy-DEV-linters.yml @@ -145,6 +145,7 @@ jobs: "repository_syft", "repository_trivy", "repository_trivy_sbom", + "repository_trufflehog", "rst_rst_lint", "rst_rstcheck", "rst_rstfmt", diff --git a/.github/workflows/deploy-RELEASE-linters.yml b/.github/workflows/deploy-RELEASE-linters.yml index 0e3f77ed8e1..7fa8e8a5cea 100644 --- a/.github/workflows/deploy-RELEASE-linters.yml +++ b/.github/workflows/deploy-RELEASE-linters.yml @@ -132,6 +132,7 @@ jobs: "repository_syft", "repository_trivy", "repository_trivy_sbom", + "repository_trufflehog", "rst_rst_lint", "rst_rstcheck", "rst_rstfmt", diff --git a/Dockerfile b/Dockerfile index 85d5ed03e43..85503db820c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -36,6 +36,7 @@ RUN GOBIN=/usr/bin go install github.com/checkmarx/dustilock@v1.2.0 FROM zricethezav/gitleaks:v8.17.0 as gitleaks FROM checkmarx/kics:alpine as kics +FROM trufflesecurity/trufflehog:latest as trufflehog FROM jdkato/vale:latest as vale FROM lycheeverse/lychee:latest-alpine as lychee FROM ghcr.io/terraform-linters/tflint:v0.47.0 as tflint @@ -327,6 +328,7 @@ COPY --link --from=dustilock /usr/bin/dustilock /usr/bin/dustilock COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/ COPY --link --from=kics /app/bin/kics /usr/bin/ COPY --from=kics /app/bin/assets /opt/kics/assets/ +COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ COPY --link --from=vale /bin/vale /bin/vale COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/ COPY --link --from=tflint /usr/local/bin/tflint /usr/bin/ @@ -705,6 +707,9 @@ RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | # Next line commented because already managed by another linter # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trufflehog installation +# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ + # sfdx-scanner-apex installation && sfdx plugins:install @salesforce/sfdx-scanner \ && npm cache clean --force || true \ diff --git a/docs/standalone-linters.md b/docs/standalone-linters.md index 7df789f7215..432c138b910 100644 --- a/docs/standalone-linters.md +++ b/docs/standalone-linters.md @@ -85,6 +85,7 @@ | REPOSITORY_SYFT | oxsecurity/megalinter-only-repository_syft:beta | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/oxsecurity/megalinter-only-repository_syft/beta) | | REPOSITORY_TRIVY | oxsecurity/megalinter-only-repository_trivy:beta | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/oxsecurity/megalinter-only-repository_trivy/beta) | | REPOSITORY_TRIVY_SBOM | oxsecurity/megalinter-only-repository_trivy_sbom:beta | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/oxsecurity/megalinter-only-repository_trivy_sbom/beta) | +| REPOSITORY_TRUFFLEHOG | oxsecurity/megalinter-only-repository_trufflehog:beta | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/oxsecurity/megalinter-only-repository_trufflehog/beta) | | RST_RST_LINT | oxsecurity/megalinter-only-rst_rst_lint:beta | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/oxsecurity/megalinter-only-rst_rst_lint/beta) | | RST_RSTCHECK | oxsecurity/megalinter-only-rst_rstcheck:beta | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/oxsecurity/megalinter-only-rst_rstcheck/beta) | | RST_RSTFMT | oxsecurity/megalinter-only-rst_rstfmt:beta | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/oxsecurity/megalinter-only-rst_rstfmt/beta) | diff --git a/flavors/ci_light/Dockerfile b/flavors/ci_light/Dockerfile index e0a9c8a3df6..168faf5397f 100644 --- a/flavors/ci_light/Dockerfile +++ b/flavors/ci_light/Dockerfile @@ -17,6 +17,7 @@ FROM mvdan/shfmt:latest-alpine as shfmt FROM hadolint/hadolint:v2.12.0-alpine as hadolint FROM mrtazz/checkmake:latest as checkmake FROM zricethezav/gitleaks:v8.17.0 as gitleaks +FROM trufflesecurity/trufflehog:latest as trufflehog #FROM__END ################## @@ -170,6 +171,7 @@ COPY --link --from=shfmt /bin/shfmt /usr/bin/ COPY --link --from=hadolint /bin/hadolint /usr/bin/hadolint COPY --link --from=checkmake /checkmake /usr/bin/checkmake COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/ +COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ #COPY__END ############################################################################################# @@ -205,6 +207,9 @@ RUN wget -q -O - https://raw.githubusercontent.com/dotenv-linter/dotenv-linter/m # Next line commented because already managed by another linter # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trufflehog installation +# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ + #OTHER__END ################################ diff --git a/flavors/ci_light/flavor.json b/flavors/ci_light/flavor.json index ce34b1f7cf2..2cc5b066ff7 100644 --- a/flavors/ci_light/flavor.json +++ b/flavors/ci_light/flavor.json @@ -21,6 +21,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "XML_XMLLINT", "YAML_PRETTIER", "YAML_YAMLLINT", diff --git a/flavors/cupcake/Dockerfile b/flavors/cupcake/Dockerfile index 35f131ed8df..1c914007400 100644 --- a/flavors/cupcake/Dockerfile +++ b/flavors/cupcake/Dockerfile @@ -32,6 +32,7 @@ FROM mrtazz/checkmake:latest as checkmake FROM ghcr.io/phpstan/phpstan:latest-php8.1 as phpstan FROM zricethezav/gitleaks:v8.17.0 as gitleaks FROM checkmarx/kics:alpine as kics +FROM trufflesecurity/trufflehog:latest as trufflehog FROM lycheeverse/lychee:latest-alpine as lychee FROM ghcr.io/terraform-linters/tflint:v0.47.0 as tflint FROM tenable/terrascan:1.18.1 as terrascan @@ -284,6 +285,7 @@ COPY --link --from=phpstan /composer/vendor/phpstan/phpstan/phpstan.phar /usr/bi COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/ COPY --link --from=kics /app/bin/kics /usr/bin/ COPY --from=kics /app/bin/assets /opt/kics/assets/ +COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/ COPY --link --from=tflint /usr/local/bin/tflint /usr/bin/ COPY --link --from=terrascan /go/bin/terrascan /usr/bin/ @@ -477,6 +479,9 @@ RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/ # Next line commented because already managed by another linter # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trufflehog installation +# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ + # lychee installation # Managed with COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/ diff --git a/flavors/cupcake/flavor.json b/flavors/cupcake/flavor.json index 2117c222e5f..20fc8abe61f 100644 --- a/flavors/cupcake/flavor.json +++ b/flavors/cupcake/flavor.json @@ -70,6 +70,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "RST_RST_LINT", "RST_RSTCHECK", "RST_RSTFMT", diff --git a/flavors/documentation/Dockerfile b/flavors/documentation/Dockerfile index 4f41b751f29..148f6af646f 100644 --- a/flavors/documentation/Dockerfile +++ b/flavors/documentation/Dockerfile @@ -25,6 +25,7 @@ FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform FROM mrtazz/checkmake:latest as checkmake FROM yoheimuta/protolint:latest as protolint FROM zricethezav/gitleaks:v8.17.0 as gitleaks +FROM trufflesecurity/trufflehog:latest as trufflehog FROM jdkato/vale:latest as vale FROM lycheeverse/lychee:latest-alpine as lychee #FROM__END @@ -221,6 +222,7 @@ COPY --link --from=kubeconform /kubeconform /usr/bin/ COPY --link --from=checkmake /checkmake /usr/bin/checkmake COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/ COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/ +COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ COPY --link --from=vale /bin/vale /bin/vale COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/ #COPY__END @@ -286,6 +288,9 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil # Next line commented because already managed by another linter # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trufflehog installation +# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/documentation/flavor.json b/flavors/documentation/flavor.json index 1e829e661a1..d2ffe9fd296 100644 --- a/flavors/documentation/flavor.json +++ b/flavors/documentation/flavor.json @@ -42,6 +42,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", diff --git a/flavors/dotnet/Dockerfile b/flavors/dotnet/Dockerfile index 2daa3d8c0ab..83d3f35cd99 100644 --- a/flavors/dotnet/Dockerfile +++ b/flavors/dotnet/Dockerfile @@ -25,6 +25,7 @@ FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform FROM mrtazz/checkmake:latest as checkmake FROM yoheimuta/protolint:latest as protolint FROM zricethezav/gitleaks:v8.17.0 as gitleaks +FROM trufflesecurity/trufflehog:latest as trufflehog FROM jdkato/vale:latest as vale FROM lycheeverse/lychee:latest-alpine as lychee #FROM__END @@ -240,6 +241,7 @@ COPY --link --from=kubeconform /kubeconform /usr/bin/ COPY --link --from=checkmake /checkmake /usr/bin/checkmake COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/ COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/ +COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ COPY --link --from=vale /bin/vale /bin/vale COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/ #COPY__END @@ -371,6 +373,9 @@ RUN curl --retry 5 --retry-delay 5 -sLO "${ARM_TTK_URI}" \ # Next line commented because already managed by another linter # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trufflehog installation +# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/dotnet/flavor.json b/flavors/dotnet/flavor.json index 9aada612a4a..7677c7666a7 100644 --- a/flavors/dotnet/flavor.json +++ b/flavors/dotnet/flavor.json @@ -56,6 +56,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", diff --git a/flavors/dotnetweb/Dockerfile b/flavors/dotnetweb/Dockerfile index 8b7149b8995..dfa4912accd 100644 --- a/flavors/dotnetweb/Dockerfile +++ b/flavors/dotnetweb/Dockerfile @@ -25,6 +25,7 @@ FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform FROM mrtazz/checkmake:latest as checkmake FROM yoheimuta/protolint:latest as protolint FROM zricethezav/gitleaks:v8.17.0 as gitleaks +FROM trufflesecurity/trufflehog:latest as trufflehog FROM jdkato/vale:latest as vale FROM lycheeverse/lychee:latest-alpine as lychee #FROM__END @@ -260,6 +261,7 @@ COPY --link --from=kubeconform /kubeconform /usr/bin/ COPY --link --from=checkmake /checkmake /usr/bin/checkmake COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/ COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/ +COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ COPY --link --from=vale /bin/vale /bin/vale COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/ #COPY__END @@ -391,6 +393,9 @@ RUN curl --retry 5 --retry-delay 5 -sLO "${ARM_TTK_URI}" \ # Next line commented because already managed by another linter # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trufflehog installation +# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/dotnetweb/flavor.json b/flavors/dotnetweb/flavor.json index 71e02372211..d0817f860e6 100644 --- a/flavors/dotnetweb/flavor.json +++ b/flavors/dotnetweb/flavor.json @@ -62,6 +62,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", diff --git a/flavors/go/Dockerfile b/flavors/go/Dockerfile index 58d67bd8a0d..0acd96fc9c4 100644 --- a/flavors/go/Dockerfile +++ b/flavors/go/Dockerfile @@ -31,6 +31,7 @@ FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform FROM mrtazz/checkmake:latest as checkmake FROM yoheimuta/protolint:latest as protolint FROM zricethezav/gitleaks:v8.17.0 as gitleaks +FROM trufflesecurity/trufflehog:latest as trufflehog FROM jdkato/vale:latest as vale FROM lycheeverse/lychee:latest-alpine as lychee #FROM__END @@ -229,6 +230,7 @@ COPY --link --from=kubeconform /kubeconform /usr/bin/ COPY --link --from=checkmake /checkmake /usr/bin/checkmake COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/ COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/ +COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ COPY --link --from=vale /bin/vale /bin/vale COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/ #COPY__END @@ -301,6 +303,9 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil # Next line commented because already managed by another linter # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trufflehog installation +# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/go/flavor.json b/flavors/go/flavor.json index 64b640a71ff..bd0c4d79b89 100644 --- a/flavors/go/flavor.json +++ b/flavors/go/flavor.json @@ -44,6 +44,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", diff --git a/flavors/java/Dockerfile b/flavors/java/Dockerfile index d293109a680..60a2e42d987 100644 --- a/flavors/java/Dockerfile +++ b/flavors/java/Dockerfile @@ -25,6 +25,7 @@ FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform FROM mrtazz/checkmake:latest as checkmake FROM yoheimuta/protolint:latest as protolint FROM zricethezav/gitleaks:v8.17.0 as gitleaks +FROM trufflesecurity/trufflehog:latest as trufflehog FROM jdkato/vale:latest as vale FROM lycheeverse/lychee:latest-alpine as lychee #FROM__END @@ -221,6 +222,7 @@ COPY --link --from=kubeconform /kubeconform /usr/bin/ COPY --link --from=checkmake /checkmake /usr/bin/checkmake COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/ COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/ +COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ COPY --link --from=vale /bin/vale /bin/vale COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/ #COPY__END @@ -362,6 +364,9 @@ RUN wget --quiet https://github.com/pmd/pmd/releases/download/pmd_releases%2F${P # Next line commented because already managed by another linter # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trufflehog installation +# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/java/flavor.json b/flavors/java/flavor.json index 6fc62ba83b6..bbf54ce8b02 100644 --- a/flavors/java/flavor.json +++ b/flavors/java/flavor.json @@ -48,6 +48,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", diff --git a/flavors/javascript/Dockerfile b/flavors/javascript/Dockerfile index 70751e36d34..0e77dfb0aa9 100644 --- a/flavors/javascript/Dockerfile +++ b/flavors/javascript/Dockerfile @@ -24,6 +24,7 @@ FROM mstruebing/editorconfig-checker:2.7.0 as editorconfig-checker FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform FROM yoheimuta/protolint:latest as protolint FROM zricethezav/gitleaks:v8.17.0 as gitleaks +FROM trufflesecurity/trufflehog:latest as trufflehog FROM jdkato/vale:latest as vale FROM lycheeverse/lychee:latest-alpine as lychee #FROM__END @@ -241,6 +242,7 @@ COPY --link --from=editorconfig-checker /usr/bin/ec /usr/bin/editorconfig-checke COPY --link --from=kubeconform /kubeconform /usr/bin/ COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/ COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/ +COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ COPY --link --from=vale /bin/vale /bin/vale COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/ #COPY__END @@ -303,6 +305,9 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil # Next line commented because already managed by another linter # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trufflehog installation +# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/javascript/flavor.json b/flavors/javascript/flavor.json index c8a3a9019c2..7827e8e698e 100644 --- a/flavors/javascript/flavor.json +++ b/flavors/javascript/flavor.json @@ -48,6 +48,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", diff --git a/flavors/php/Dockerfile b/flavors/php/Dockerfile index 0203a4b2b9a..8846adbcff2 100644 --- a/flavors/php/Dockerfile +++ b/flavors/php/Dockerfile @@ -25,6 +25,7 @@ FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform FROM ghcr.io/phpstan/phpstan:latest-php8.1 as phpstan FROM yoheimuta/protolint:latest as protolint FROM zricethezav/gitleaks:v8.17.0 as gitleaks +FROM trufflesecurity/trufflehog:latest as trufflehog FROM jdkato/vale:latest as vale FROM lycheeverse/lychee:latest-alpine as lychee #FROM__END @@ -232,6 +233,7 @@ COPY --link --from=kubeconform /kubeconform /usr/bin/ COPY --link --from=phpstan /composer/vendor/phpstan/phpstan/phpstan.phar /usr/bin/phpstan COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/ COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/ +COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ COPY --link --from=vale /bin/vale /bin/vale COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/ #COPY__END @@ -328,6 +330,9 @@ RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | # Next line commented because already managed by another linter # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trufflehog installation +# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/php/flavor.json b/flavors/php/flavor.json index 852021dd109..56fe604a497 100644 --- a/flavors/php/flavor.json +++ b/flavors/php/flavor.json @@ -46,6 +46,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", diff --git a/flavors/python/Dockerfile b/flavors/python/Dockerfile index 7039a304eb1..1f5a7fe062a 100644 --- a/flavors/python/Dockerfile +++ b/flavors/python/Dockerfile @@ -25,6 +25,7 @@ FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform FROM mrtazz/checkmake:latest as checkmake FROM yoheimuta/protolint:latest as protolint FROM zricethezav/gitleaks:v8.17.0 as gitleaks +FROM trufflesecurity/trufflehog:latest as trufflehog FROM jdkato/vale:latest as vale FROM lycheeverse/lychee:latest-alpine as lychee #FROM__END @@ -232,6 +233,7 @@ COPY --link --from=kubeconform /kubeconform /usr/bin/ COPY --link --from=checkmake /checkmake /usr/bin/checkmake COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/ COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/ +COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ COPY --link --from=vale /bin/vale /bin/vale COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/ #COPY__END @@ -301,6 +303,9 @@ RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | # Next line commented because already managed by another linter # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trufflehog installation +# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/python/flavor.json b/flavors/python/flavor.json index 96b61bfda2f..dbb6effdf86 100644 --- a/flavors/python/flavor.json +++ b/flavors/python/flavor.json @@ -50,6 +50,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "RST_RST_LINT", "RST_RSTCHECK", "RST_RSTFMT", diff --git a/flavors/ruby/Dockerfile b/flavors/ruby/Dockerfile index 7ed36409bc6..0a4365f77e2 100644 --- a/flavors/ruby/Dockerfile +++ b/flavors/ruby/Dockerfile @@ -24,6 +24,7 @@ FROM mstruebing/editorconfig-checker:2.7.0 as editorconfig-checker FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform FROM yoheimuta/protolint:latest as protolint FROM zricethezav/gitleaks:v8.17.0 as gitleaks +FROM trufflesecurity/trufflehog:latest as trufflehog FROM jdkato/vale:latest as vale FROM lycheeverse/lychee:latest-alpine as lychee #FROM__END @@ -225,6 +226,7 @@ COPY --link --from=editorconfig-checker /usr/bin/ec /usr/bin/editorconfig-checke COPY --link --from=kubeconform /kubeconform /usr/bin/ COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/ COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/ +COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ COPY --link --from=vale /bin/vale /bin/vale COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/ #COPY__END @@ -287,6 +289,9 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil # Next line commented because already managed by another linter # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trufflehog installation +# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/ruby/flavor.json b/flavors/ruby/flavor.json index 05c2966acac..43872fd5a5a 100644 --- a/flavors/ruby/flavor.json +++ b/flavors/ruby/flavor.json @@ -41,6 +41,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "RUBY_RUBOCOP", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", diff --git a/flavors/rust/Dockerfile b/flavors/rust/Dockerfile index fb03d6e7291..118efb23f73 100644 --- a/flavors/rust/Dockerfile +++ b/flavors/rust/Dockerfile @@ -24,6 +24,7 @@ FROM mstruebing/editorconfig-checker:2.7.0 as editorconfig-checker FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform FROM yoheimuta/protolint:latest as protolint FROM zricethezav/gitleaks:v8.17.0 as gitleaks +FROM trufflesecurity/trufflehog:latest as trufflehog FROM jdkato/vale:latest as vale FROM lycheeverse/lychee:latest-alpine as lychee #FROM__END @@ -219,6 +220,7 @@ COPY --link --from=editorconfig-checker /usr/bin/ec /usr/bin/editorconfig-checke COPY --link --from=kubeconform /kubeconform /usr/bin/ COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/ COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/ +COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ COPY --link --from=vale /bin/vale /bin/vale COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/ #COPY__END @@ -281,6 +283,9 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil # Next line commented because already managed by another linter # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trufflehog installation +# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/rust/flavor.json b/flavors/rust/flavor.json index d71766b88fa..c6db111e2fe 100644 --- a/flavors/rust/flavor.json +++ b/flavors/rust/flavor.json @@ -41,6 +41,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "RUST_CLIPPY", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", diff --git a/flavors/salesforce/Dockerfile b/flavors/salesforce/Dockerfile index eb0d990cb6e..bfdbb59766f 100644 --- a/flavors/salesforce/Dockerfile +++ b/flavors/salesforce/Dockerfile @@ -24,6 +24,7 @@ FROM mstruebing/editorconfig-checker:2.7.0 as editorconfig-checker FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform FROM yoheimuta/protolint:latest as protolint FROM zricethezav/gitleaks:v8.17.0 as gitleaks +FROM trufflesecurity/trufflehog:latest as trufflehog FROM jdkato/vale:latest as vale FROM lycheeverse/lychee:latest-alpine as lychee #FROM__END @@ -222,6 +223,7 @@ COPY --link --from=editorconfig-checker /usr/bin/ec /usr/bin/editorconfig-checke COPY --link --from=kubeconform /kubeconform /usr/bin/ COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/ COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/ +COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ COPY --link --from=vale /bin/vale /bin/vale COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/ #COPY__END @@ -290,6 +292,9 @@ RUN echo y|sfdx plugins:install sfdx-hardis \ # Next line commented because already managed by another linter # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trufflehog installation +# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ + # sfdx-scanner-apex installation && sfdx plugins:install @salesforce/sfdx-scanner \ && npm cache clean --force || true \ diff --git a/flavors/salesforce/flavor.json b/flavors/salesforce/flavor.json index f6c4cbdfb7b..1ec8062873b 100644 --- a/flavors/salesforce/flavor.json +++ b/flavors/salesforce/flavor.json @@ -43,6 +43,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "SALESFORCE_SFDX_SCANNER_APEX", "SALESFORCE_SFDX_SCANNER_AURA", "SALESFORCE_SFDX_SCANNER_LWC", diff --git a/flavors/security/Dockerfile b/flavors/security/Dockerfile index fa3505ec64a..e17f0304c26 100644 --- a/flavors/security/Dockerfile +++ b/flavors/security/Dockerfile @@ -20,6 +20,7 @@ RUN GOBIN=/usr/bin go install github.com/checkmarx/dustilock@v1.2.0 FROM zricethezav/gitleaks:v8.17.0 as gitleaks FROM checkmarx/kics:alpine as kics +FROM trufflesecurity/trufflehog:latest as trufflehog FROM ghcr.io/terraform-linters/tflint:v0.47.0 as tflint FROM tenable/terrascan:1.18.1 as terrascan FROM alpine/terragrunt:latest as terragrunt @@ -179,6 +180,7 @@ COPY --link --from=dustilock /usr/bin/dustilock /usr/bin/dustilock COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/ COPY --link --from=kics /app/bin/kics /usr/bin/ COPY --from=kics /app/bin/assets /opt/kics/assets/ +COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ COPY --link --from=tflint /usr/local/bin/tflint /usr/bin/ COPY --link --from=terrascan /go/bin/terrascan /usr/bin/ COPY --link --from=terragrunt /usr/local/bin/terragrunt /usr/bin/ @@ -239,6 +241,9 @@ RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | # Next line commented because already managed by another linter # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trufflehog installation +# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ + # tflint installation # Managed with COPY --link --from=tflint /usr/local/bin/tflint /usr/bin/ diff --git a/flavors/security/flavor.json b/flavors/security/flavor.json index 675eb08aac7..0adcf34dd04 100644 --- a/flavors/security/flavor.json +++ b/flavors/security/flavor.json @@ -22,6 +22,7 @@ "REPOSITORY_SYFT", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "TERRAFORM_TFLINT", "TERRAFORM_TERRASCAN", "TERRAFORM_TERRAGRUNT" diff --git a/flavors/swift/Dockerfile b/flavors/swift/Dockerfile index 4b3dd2f6900..fe5c5a7b571 100644 --- a/flavors/swift/Dockerfile +++ b/flavors/swift/Dockerfile @@ -24,6 +24,7 @@ FROM mstruebing/editorconfig-checker:2.7.0 as editorconfig-checker FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform FROM yoheimuta/protolint:latest as protolint FROM zricethezav/gitleaks:v8.17.0 as gitleaks +FROM trufflesecurity/trufflehog:latest as trufflehog FROM jdkato/vale:latest as vale FROM lycheeverse/lychee:latest-alpine as lychee #FROM__END @@ -221,6 +222,7 @@ COPY --link --from=editorconfig-checker /usr/bin/ec /usr/bin/editorconfig-checke COPY --link --from=kubeconform /kubeconform /usr/bin/ COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/ COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/ +COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ COPY --link --from=vale /bin/vale /bin/vale COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/ #COPY__END @@ -284,6 +286,9 @@ RUN rc-update add docker boot && rc-service docker start || true \ # Next line commented because already managed by another linter # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trufflehog installation +# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/swift/flavor.json b/flavors/swift/flavor.json index bc9d9d0baf9..77538bee8bd 100644 --- a/flavors/swift/flavor.json +++ b/flavors/swift/flavor.json @@ -41,6 +41,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", diff --git a/flavors/terraform/Dockerfile b/flavors/terraform/Dockerfile index 7d927e26ba7..8a980a6b61f 100644 --- a/flavors/terraform/Dockerfile +++ b/flavors/terraform/Dockerfile @@ -25,6 +25,7 @@ FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform FROM yoheimuta/protolint:latest as protolint FROM zricethezav/gitleaks:v8.17.0 as gitleaks FROM checkmarx/kics:alpine as kics +FROM trufflesecurity/trufflehog:latest as trufflehog FROM jdkato/vale:latest as vale FROM lycheeverse/lychee:latest-alpine as lychee FROM ghcr.io/terraform-linters/tflint:v0.47.0 as tflint @@ -227,6 +228,7 @@ COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/ COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/ COPY --link --from=kics /app/bin/kics /usr/bin/ COPY --from=kics /app/bin/assets /opt/kics/assets/ +COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ COPY --link --from=vale /bin/vale /bin/vale COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/ COPY --link --from=tflint /usr/local/bin/tflint /usr/bin/ @@ -299,6 +301,9 @@ RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/ # Next line commented because already managed by another linter # RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trufflehog installation +# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/terraform/flavor.json b/flavors/terraform/flavor.json index 8409edcac8f..3221d859758 100644 --- a/flavors/terraform/flavor.json +++ b/flavors/terraform/flavor.json @@ -42,6 +42,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", diff --git a/linters/repository_trufflehog/Dockerfile b/linters/repository_trufflehog/Dockerfile new file mode 100644 index 00000000000..50518dad8d5 --- /dev/null +++ b/linters/repository_trufflehog/Dockerfile @@ -0,0 +1,213 @@ +# syntax=docker/dockerfile:1 +########################################### +########################################### +## Dockerfile to run MegaLinter ## +########################################### +########################################### + +# @not-generated + +############################################################################################# +## @generated by .automation/build.py using descriptor files, please do not update manually ## +############################################################################################# +#FROM__START +FROM trufflesecurity/trufflehog:latest as trufflehog +#FROM__END + +################## +# Get base image # +################## +FROM python:3.11.4-alpine3.17 +ARG GITHUB_TOKEN + +############################################################################################# +## @generated by .automation/build.py using descriptor files, please do not update manually ## +############################################################################################# +#ARG__START + +#ARG__END + +#################### +# Run APK installs # +#################### + +WORKDIR / + +############################################################################################# +## @generated by .automation/build.py using descriptor files, please do not update manually ## +############################################################################################# +#APK__START +RUN apk add --no-cache \ + bash \ + ca-certificates \ + curl \ + gcc \ + git \ + git-lfs \ + libffi-dev \ + make \ + musl-dev \ + openssh \ + && git config --global core.autocrlf true +#APK__END + +# PATH for golang & python +ENV GOROOT=/usr/lib/go \ + GOPATH=/go + # PYTHONPYCACHEPREFIX="$HOME/.cache/cpython/" NV: not working for all packages :/ +# hadolint ignore=DL3044 +ENV PATH="$PATH":"$GOROOT"/bin:"$GOPATH"/bin +RUN mkdir -p ${GOPATH}/src ${GOPATH}/bin || true && \ + # Ignore npm package issues + yarn config set ignore-engines true || true + +############################################################################################# +## @generated by .automation/build.py using descriptor files, please do not update manually ## +############################################################################################# +#PIP__START + +#PIP__END + +#PIPVENV__START + +#PIPVENV__END + +############################ +# Install NPM dependencies # +############################################################################################# +## @generated by .automation/build.py using descriptor files, please do not update manually ## +############################################################################################# + +ENV NODE_OPTIONS="--max-old-space-size=8192" \ + NODE_ENV=production +#NPM__START + +#NPM__END + +# Add node packages to path # +ENV PATH="/node-deps/node_modules/.bin:${PATH}" \ + NODE_PATH="/node-deps/node_modules" + +############################## +# Installs ruby dependencies # +############################################################################################# +## @generated by .automation/build.py using descriptor files, please do not update manually ## +############################################################################################# + +#GEM__START + +#GEM__END + +############################## +# Installs rust dependencies # +############################################################################################# +## @generated by .automation/build.py using descriptor files, please do not update manually ## +############################################################################################# + +#CARGO__START + +#CARGO__END + +############################## +# COPY instructions # +############################################################################################# +## @generated by .automation/build.py using descriptor files, please do not update manually ## +############################################################################################# + +#COPY__START +COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ +#COPY__END + +############################################################################################# +## @generated by .automation/build.py using descriptor files, please do not update manually ## +############################################################################################# +#OTHER__START +# trufflehog installation +# Managed with COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ + +#OTHER__END + +################################ +# Installs python dependencies # +################################ +COPY megalinter /megalinter +RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \ + && PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \ + && rm -rf /var/cache/apk/* \ + && find . | grep -E "(/__pycache__$|\.pyc$|\.pyo$)" | xargs rm -rf + +####################################### +# Copy scripts and rules to container # +####################################### +COPY megalinter/descriptors /megalinter-descriptors +COPY TEMPLATES /action/lib/.automation + +# Copy server scripts +COPY server /server + +########################### +# Get the build arguments # +########################### +ARG BUILD_DATE +ARG BUILD_REVISION +ARG BUILD_VERSION + +################################################# +# Set ENV values used for debugging the version # +################################################# +ENV BUILD_DATE=$BUILD_DATE \ + BUILD_REVISION=$BUILD_REVISION \ + BUILD_VERSION=$BUILD_VERSION + +#FLAVOR__START +ENV MEGALINTER_FLAVOR=none +#FLAVOR__END + +######################################### +# Label the instance and set maintainer # +######################################### +LABEL com.github.actions.name="MegaLinter" \ + com.github.actions.description="The ultimate linters aggregator to make sure your projects are clean" \ + com.github.actions.icon="code" \ + com.github.actions.color="red" \ + maintainer="Nicolas Vuillamy " \ + org.opencontainers.image.created=$BUILD_DATE \ + org.opencontainers.image.revision=$BUILD_REVISION \ + org.opencontainers.image.version=$BUILD_VERSION \ + org.opencontainers.image.authors="Nicolas Vuillamy " \ + org.opencontainers.image.url="https://megalinter.io" \ + org.opencontainers.image.source="https://github.com/oxsecurity/megalinter" \ + org.opencontainers.image.documentation="https://megalinter.io" \ + org.opencontainers.image.vendor="Nicolas Vuillamy" \ + org.opencontainers.image.description="Lint your code base with GitHub Actions" + +#EXTRA_DOCKERFILE_LINES__START +ENV ENABLE_LINTERS=REPOSITORY_TRUFFLEHOG \ + FLAVOR_SUGGESTIONS=false \ + SINGLE_LINTER=REPOSITORY_TRUFFLEHOG \ + PRINT_ALPACA=false \ + LOG_FILE=none \ + SARIF_REPORTER=true \ + TEXT_REPORTER=false \ + UPDATED_SOURCES_REPORTER=false \ + GITHUB_STATUS_REPORTER=false \ + GITHUB_COMMENT_REPORTER=false \ + EMAIL_REPORTER=false \ + FILEIO_REPORTER=false \ + CONFIG_REPORTER=false \ + SARIF_TO_HUMAN=false +RUN mkdir /root/docker_ssh && mkdir /usr/bin/megalinter-sh +EXPOSE 22 +COPY entrypoint.sh /entrypoint.sh +COPY sh /usr/bin/megalinter-sh +COPY sh/megalinter_exec /usr/bin/megalinter_exec +COPY sh/motd /etc/motd +RUN find /usr/bin/megalinter-sh/ -type f -iname "*.sh" -exec chmod +x {} \; && \ + chmod +x entrypoint.sh && \ + chmod +x /usr/bin/megalinter_exec && \ + echo "alias megalinter='python -m megalinter.run'" >> ~/.bashrc && source ~/.bashrc && \ + echo "alias megalinter_exec='/usr/bin/megalinter_exec'" >> ~/.bashrc && source ~/.bashrc +RUN export STANDALONE_LINTER_VERSION="$(python -m megalinter.run --input /tmp --linterversion)" && \ + echo $STANDALONE_LINTER_VERSION +ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] +#EXTRA_DOCKERFILE_LINES__END diff --git a/megalinter/descriptors/all_flavors.json b/megalinter/descriptors/all_flavors.json index 725cf06c229..650f2cf5351 100644 --- a/megalinter/descriptors/all_flavors.json +++ b/megalinter/descriptors/all_flavors.json @@ -22,6 +22,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "XML_XMLLINT", "YAML_PRETTIER", "YAML_YAMLLINT", @@ -100,6 +101,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "RST_RST_LINT", "RST_RSTCHECK", "RST_RSTFMT", @@ -169,6 +171,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", @@ -242,6 +245,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", @@ -323,6 +327,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", @@ -390,6 +395,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", @@ -455,6 +461,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", @@ -520,6 +527,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", @@ -587,6 +595,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", @@ -654,6 +663,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "RST_RST_LINT", "RST_RSTCHECK", "RST_RSTFMT", @@ -715,6 +725,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "RUBY_RUBOCOP", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", @@ -774,6 +785,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "RUST_CLIPPY", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", @@ -835,6 +847,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "SALESFORCE_SFDX_SCANNER_APEX", "SALESFORCE_SFDX_SCANNER_AURA", "SALESFORCE_SFDX_SCANNER_LWC", @@ -877,6 +890,7 @@ "REPOSITORY_SYFT", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "TERRAFORM_TFLINT", "TERRAFORM_TERRASCAN", "TERRAFORM_TERRAGRUNT" @@ -925,6 +939,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", @@ -985,6 +1000,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", diff --git a/megalinter/descriptors/repository.megalinter-descriptor.yml b/megalinter/descriptors/repository.megalinter-descriptor.yml index d583cb2fb52..bb3f42a500d 100644 --- a/megalinter/descriptors/repository.megalinter-descriptor.yml +++ b/megalinter/descriptors/repository.megalinter-descriptor.yml @@ -534,3 +534,32 @@ linters: vscode: - name: VSCode Trivy url: https://marketplace.visualstudio.com/items?itemName=AquaSecurityOfficial.trivy-vulnerability-scanner + + # TRUFFLEHOG + - linter_name: trufflehog + descriptor_flavors: + - all_flavors # Applicable to CI in any language project + - ci_light + - cupcake + - security + linter_speed: 2 + linter_url: https://github.com/trufflesecurity/trufflehog + linter_repo: https://github.com/trufflesecurity/trufflehog + linter_banner_image_url: https://storage.googleapis.com/trufflehog-static-sources/pixel_pig.png + linter_rules_configuration_url: https://github.com/trufflesecurity/trufflehog#regex-detector-alpha + cli_lint_mode: project + cli_config_arg_name: "--config" + config_file_name: .trufflehog.yml + cli_lint_extra_args: + - filesystem + - "." + - --fail + cli_help_arg_name: --help + cli_version_arg_name: --version + examples: + - "trufflehog filesystem ." + install: + dockerfile: + - FROM trufflesecurity/trufflehog:latest as trufflehog + - COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ + test_folder: gitleaks diff --git a/megalinter/descriptors/schemas/megalinter-configuration.jsonschema.json b/megalinter/descriptors/schemas/megalinter-configuration.jsonschema.json index c65f78b3e90..eeb4a2e7adb 100644 --- a/megalinter/descriptors/schemas/megalinter-configuration.jsonschema.json +++ b/megalinter/descriptors/schemas/megalinter-configuration.jsonschema.json @@ -193,6 +193,7 @@ "REPOSITORY_SYFT", "REPOSITORY_TRIVY", "REPOSITORY_TRIVY_SBOM", + "REPOSITORY_TRUFFLEHOG", "RST_RST_LINT", "RST_RSTCHECK", "RST_RSTFMT", diff --git a/megalinter/tests/test_megalinter/linters/repository_trufflehog_test.py b/megalinter/tests/test_megalinter/linters/repository_trufflehog_test.py new file mode 100644 index 00000000000..74f9ffd75a4 --- /dev/null +++ b/megalinter/tests/test_megalinter/linters/repository_trufflehog_test.py @@ -0,0 +1,14 @@ +# !/usr/bin/env python3 +""" +Unit tests for REPOSITORY linter trufflehog +This class has been automatically @generated by .automation/build.py, please don't update it manually +""" + +from unittest import TestCase + +from megalinter.tests.test_megalinter.LinterTestRoot import LinterTestRoot + + +class repository_trufflehog_test(TestCase, LinterTestRoot): + descriptor_id = "REPOSITORY" + linter_name = "trufflehog"