From 25bb9ae5dd0814cf0c9de78a87fe1817827f17df Mon Sep 17 00:00:00 2001
From: Douglas Lagemann <douglagemann@seed-innovations.com>
Date: Fri, 18 Oct 2024 17:35:22 +0000
Subject: [PATCH] BULL-3226: Add trufflehog job
---
docker/pipeline-jobs/docker-compose-test.yml | 15 ++++++++
.../docker-compose-trufflehog.yml | 15 ++++++++
formulas/express.yml | 13 +++++++
root/.env | 2 ++
scripts/trufflehog/docker-compose.yml | 34 -------------------
scripts/trufflehog/entrypoint.sh | 15 ++++----
6 files changed, 51 insertions(+), 43 deletions(-)
create mode 100644 docker/pipeline-jobs/docker-compose-test.yml
create mode 100644 docker/pipeline-jobs/docker-compose-trufflehog.yml
create mode 100644 formulas/express.yml
delete mode 100644 scripts/trufflehog/docker-compose.yml
diff --git a/docker/pipeline-jobs/docker-compose-test.yml b/docker/pipeline-jobs/docker-compose-test.yml
new file mode 100644
index 0000000..8d182cf
--- /dev/null
+++ b/docker/pipeline-jobs/docker-compose-test.yml
@@ -0,0 +1,15 @@
+services:
+
+ <<pipelineJobName>>:
+ image: registry1.dso.mil/ironbank/opensource/trufflehog/trufflehog3:3.0.10
+ container_name: <<pipelineJobName>>
+ entrypoint: ["${BASE_SCRIPTS_DIR}/trufflehog/entrypoint.sh"]
+ working_dir: /root
+ environment:
+ - REPORTS_DIR=${BASE_REPORTS_DIR}/<<pipelineJobName>>
+ - SCRIPTS_DIR=${BASE_SCRIPTS_DIR}/trufflehog
+ - SCAN_DIR=/app
+ - TRUFFLEHOG_EXCLUDE_PATHS=<<exclusions>>
+ volumes:
+ - ./:/root
+ - ./<<projectName>>-<<subProjectName>>:/app
\ No newline at end of file
diff --git a/docker/pipeline-jobs/docker-compose-trufflehog.yml b/docker/pipeline-jobs/docker-compose-trufflehog.yml
new file mode 100644
index 0000000..b483471
--- /dev/null
+++ b/docker/pipeline-jobs/docker-compose-trufflehog.yml
@@ -0,0 +1,15 @@
+services:
+
+ <<pipelineJobName>>:
+ image: registry1.dso.mil/ironbank/opensource/trufflehog/trufflehog3:3.0.10
+ container_name: <<pipelineJobName>>
+ entrypoint: ["${BASE_SCRIPTS_DIR}/trufflehog/entrypoint.sh"]
+ working_dir: /root
+ environment:
+ - REPORTS_DIR=${BASE_REPORTS_DIR}/<<pipelineJobName>>
+ - SCRIPTS_DIR=${BASE_SCRIPTS_DIR}/trufflehog
+ - SCAN_DIR=/app
+ - TRUFFLEHOG_EXCLUDE_PATHS=<<exclusions>>
+ volumes:
+ - ./:/root
+ - ./<<projectName>>-<<subProjectName>>:/app
diff --git a/formulas/express.yml b/formulas/express.yml
new file mode 100644
index 0000000..1d136fb
--- /dev/null
+++ b/formulas/express.yml
@@ -0,0 +1,13 @@
+pipelineJobs:
+ - name: trufflehog
+ composeFile: docker/pipeline-jobs/docker-compose-trufflehog.yml
+ substitutions:
+ pipelineJobName: trufflehog-api
+ subProjectName: api
+ exclusions: package-lock.json
+ - name: fakeTestJob
+ composeFile: docker/pipeline-jobs/docker-compose-test.yml
+ substitutions:
+ pipelineJobName: trufflehog-test
+ subProjectName: test
+ exclusions: testfile.yml
diff --git a/root/.env b/root/.env
index c39988a..aac1565 100644
--- a/root/.env
+++ b/root/.env
@@ -1 +1,3 @@
DEBUGGER_ARGS=--continue
+BASE_REPORTS_DIR=reports
+BASE_SCRIPTS_DIR=scripts
diff --git a/scripts/trufflehog/docker-compose.yml b/scripts/trufflehog/docker-compose.yml
deleted file mode 100644
index 572193b..0000000
--- a/scripts/trufflehog/docker-compose.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-version: "0.1"
-services:
-
- trufflehog-api:
- image: registry1.dso.mil/ironbank/opensource/trufflehog/trufflehog3:3.0.10
- container_name: trufflehog3-api
- entrypoint: ["/root/scripts/trufflehog/entrypoint.sh"]
- working_dir: /root
- # env_file:
- # - .env # TODO: Setting env vars in here allows use of env vars inside this file itself, i.e. the entrypoint directory. Probably good to define a BASE_SCRIPTS_DIR for all jobs.
- environment:
- - REPORT_DIR=/root/reports/trufflehog-api
- - SCRIPTS_DIR=/root/scripts/trufflehog
- - SCAN_DIR=/app
- # - TRUFFLEHOG_EXCLUDE_PATHS= # TODO: Refine
- volumes:
- - ./:/root
- - ./<<projectName>>-api:/app
-
- trufflehog-ui:
- image: registry1.dso.mil/ironbank/opensource/trufflehog/trufflehog3:3.0.10
- container_name: trufflehog3-ui
- entrypoint: ["/root/scripts/trufflehog/entrypoint.sh"]
- working_dir: /root
- # env_file:
- # - .env # TODO: Setting env vars in here allows use of env vars inside this file itself, i.e. the entrypoint directory. Probably good to define a BASE_SCRIPTS_DIR for all jobs.
- environment:
- - REPORT_DIR=/root/reports/trufflehog-ui
- - SCRIPTS_DIR=/root/scripts/trufflehog
- - SCAN_DIR=/app
- # - TRUFFLEHOG_EXCLUDE_PATHS= # TODO: Refine
- volumes:
- - ./:/root
- - ./<<projectName>>-ui:/app
diff --git a/scripts/trufflehog/entrypoint.sh b/scripts/trufflehog/entrypoint.sh
index 847f719..a6cfd0a 100755
--- a/scripts/trufflehog/entrypoint.sh
+++ b/scripts/trufflehog/entrypoint.sh
@@ -1,19 +1,16 @@
#!/bin/bash
-ls -al # TODO: Delete
-mkdir -p ${REPORT_DIR}
-REPORT_FILE=${REPORT_DIR}/trufflehog_report.json
+mkdir -p ${REPORTS_DIR}
+REPORT_FILE=${REPORTS_DIR}/trufflehog_report.json
# enable shell globbing for recursive exclude matching. allows use of '**/*' format
shopt -s globstar
-configfiletoremove=".trufflehog3.yml"
-if [ -f "$configfiletoremove" ]; then rm -f "$configfiletoremove" && echo "I deleted trufflehog3.yml"; fi
# set -x so we can see the real command being run
set -x
-trufflehog3 -vvv --ignore-nosecret --exclude ${TRUFFLEHOG_EXCLUDE_PATHS} \
- --format json --zero --no-history \
+trufflehog3 -vvv --ignore-nosecret --format json --zero --no-history \
+ --exclude ${TRUFFLEHOG_EXCLUDE_PATHS} \
-r ${SCRIPTS_DIR}/rules.yml \
- -o ${REPORT_FILE} ${SCAN_DIR} 2>&1 | tee ${REPORT_DIR}/trufflehog_log.txt # TODO: Writing to trufflehog_log.txt not currently working
+ -o ${REPORT_FILE} \
+ ${SCAN_DIR}
set +x
shopt -u globstar
-trufflehog3 --version > ${REPORT_DIR}/trufflehog_version.txt
python ${SCRIPTS_DIR}/trufflehog-gate-check.py "${REPORT_FILE}"
--
GitLab