Update trufflehog logging
Bug in trufflehog logging
Trufflehog currently logs the command run and also provides a command for users to run when a secret is found. There is now an issue due to the creation of a default trufflehog config file that may exist within the pipeline run only. The job now always logs to the user that the --config trufflehog-config.yaml
should be used locally to replicate the pipeline's scan, but this file may not exist in the project. When the project does not have a config file, the printed trufflehog3 command will always fail.
Example
An example is the following trufflehog failure which shows the user to run a command locally that will fail, as there isn't a trufflehog-config file in the project.
Testing
- A failure doesn't display the
config
flag when this file doesn't exist locally - Successful test showing that whitelisting is still functional
Acceptance Criteria
-
Update trufflehog job to log a usable command - Check if the config variable is set and a config file exists in the pipeline,
if they are display the
--config
flag and if not, hide the--config
flag in the log
- Check if the config variable is set and a config file exists in the pipeline,
if they are display the
Note: The
--config
flag always needs to be included in the subprocess command