| 12345678910111213141516171819202122232425262728293031323334353637383940 |
- #!/usr/bin/env bash
- # Copyright Materialize, Inc. and contributors. All rights reserved.
- #
- # Use of this software is governed by the Business Source License
- # included in the LICENSE file at the root of this repository.
- #
- # As of the Change Date specified in that file, in accordance with
- # the Business Source License, use of this software will be governed
- # by the Apache License, Version 2.0.
- #
- # check-trufflehog.sh - Scan repository for secrets
- set -euo pipefail
- cd "$(dirname "$0")/../../../.."
- . misc/shlib/shlib.bash
- if ! trufflehog --version >/dev/null 2>/dev/null; then
- echo "lint: trufflehog is not installed"
- echo "hint: refer to https://github.com/trufflesecurity/trufflehog?tab=readme-ov-file#floppy_disk-installation for install instructions"
- exit 1
- fi
- git ls-files -z | grep -zv '^misc/shlib/shlib\.bash$' | xargs -0 trufflehog --no-fail --no-update --no-verification --json filesystem | trufflehog_jq_filter_files > trufflehog.log
- try test ! -s trufflehog.log
- if try_last_failed; then
- printf "%s\n" "lint: $(red error:) new secrets found"
- printf "%s\n" "lint: $(green hint:) don't check in secrets and revoke them immediately"
- printf "%s\n" "lint: $(green hint:) mark false positives in misc/shlib/shlib.bash's trufflehog_jq_filter_(files|common)"
- fi
- jq -c -r '. | "\(.SourceMetadata.Data.Filesystem.file):\(.SourceMetadata.Data.Filesystem.line): Secret found: \(.Raw)"' trufflehog.log
- rm -f trufflehog.log
- try_status_report
|
