Add in trufflehog3

.github/workflows/static-analysis.yml

@@ -63,4 +63,30 @@ jobs:
             -Dsonar.python.coverage.reportPaths=coverage/coverage.xml
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  trufflehog-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout the repository
+      uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.12'
+
+    - name: Install dependencies
+      run: |
+        python -m venv venv
+        source venv/bin/activate
+        python -m pip install --upgrade pip
+        python -m pip install -r requirements/generated/requirements-development.txt
+    - name: Run TruffleHog Scan
+      run: |
+        source venv/bin/activate
+        venv/bin/trufflehog3 filesystem .
+    - name: Check for Secrets
+      if: failure()
+      run: exit 1

.pre-commit-config.yaml

@@ -26,3 +26,10 @@ repos:
       - id: ruff
         args: [ --fix ]
       - id: ruff-format
+  - repo: local
+    hooks:
+      - id: trufflehog3
+        name: truffleHog3
+        entry: bash -c 'trufflehog3 filesystem .'
+        language: system
+        stages: ["commit", "push"]

.trufflehog3.yml

@@ -0,0 +1,72 @@
+exclude: # exclude matching issues
+  - message: Build directories
+    paths:
+      - build/**
+      - dist/**
+      - README.md
+      - .github/**
+  - message: Examples and data necessary for running auto-tests
+    paths:
+      - docs/*.html
+      - docs/examples/*
+  - message: DB login config
+    # Without this the db.password will incorrectly flag
+    pattern: Config.DB_PASSWORD
+    paths:
+      - app/db/__init__.py
+  - message: Trufflehog rules file contains regexes which might trigger the scanner
+    paths:
+      - trufflehog3/static/rules.yml
+  - message: Integrity hash for highlight.min.js
+    # NOTE pattern is re.Pattern, thus escaping of special characters might be required
+    pattern: sha256-Uv3H6lx7dJmRfRvH8TH6kJD1TSK1aFcwgx\+mdg3epi8=
+    paths:
+      - docs/templates/*.mako
+  - message: Integrity hash for materialize.min.css
+    # NOTE pattern is re.Pattern, thus escaping of special characters might be required
+    pattern: sha256-kpeCd0c1zTgJMsU\+s8Pz4CwckI73qwpdYMTxTsRyO8A=
+    paths:
+      - docs/templates/*.mako
+      - trufflehog3/static/report.html.j2
+  - message: Integrity hash for materialize.min.js
+    pattern: sha256-U/cHDMTIHCeMcvehBv1xQ052bPSbJtbuiw4QA9cTKz0=
+    paths:
+      - docs/templates/*.mako
+      - trufflehog3/static/report.html.j2
+  - message: Alphabet used in autotests
+    pattern: abcdefghijklmnopqrstuvwxyz
+    paths:
+      - trufflehog3/helper.py
+      - trufflehog3/models.py
+      - trufflehog3/search.py
+  - message: Commit hash used in autotests
+    pattern: 9e404e6c59d286645b2465aacaf61108ebc12a3a
+    paths:
+      - trufflehog3/source.py
+# NOTE you can also specify IDs or patterns together or without paths, e.g.
+#
+#   - message: Skip ID everywhere
+#     id: high-entropy
+#   - message: Skip ID on specific paths
+#     id: high-entropy
+#     paths:
+#       - tests/data/*
+#
+#   - message: Skip pattern everywhere, case-insensitive
+#     pattern: (?i)not-a-secret
+#   - message: Skip pattern on specific paths, case-insensitive
+#     pattern: (?i)not-a-secret
+#     paths:
+#       - tests/data/*
+
+severity: low # minimum severity filter
+ignore_nosecret: false # ignore inline 'nosecret' annotations
+no_entropy: false # disable entropy checks
+no_pattern: false # disable pattern checks
+
+depth: 10000 # max commits depth for searching, only used if `no_history` is false
+since: null # scan from the given commit hash, only used if `no_history` is false
+no_current: false # disable current status check
+no_history: true # disable commit history check
+
+context: 0 # number of context lines to include

requirements/generated/requirements-development.txt

@@ -21,6 +21,8 @@ argon2-cffi==23.1.0
     # via -r requirements/source/requirements-base.in
 argon2-cffi-bindings==21.2.0
     # via argon2-cffi
+attrs==20.3.0
+    # via trufflehog3
 certifi==2024.7.4
     # via
     #   httpcore
@@ -50,6 +52,10 @@ filelock==3.15.4
     # via virtualenv
 freezegun==1.5.1
     # via -r requirements/source/requirements-testing.in
+gitdb==4.0.11
+    # via gitpython
+gitpython==3.1.41
+    # via trufflehog3
 greenlet==3.0.3
     # via sqlalchemy
 h11==0.14.0
@@ -72,7 +78,9 @@ idna==3.7
 iniconfig==2.0.0
     # via pytest
 jinja2==3.1.4
-    # via fastapi
+    # via
+    #   fastapi
+    #   trufflehog3
 mako==1.3.5
     # via alembic
 markdown-it-py==3.0.0
@@ -120,6 +128,7 @@ python-multipart==0.0.12
 pyyaml==6.0.1
     # via
     #   pre-commit
+    #   trufflehog3
     #   uvicorn
 rich==13.9.2
     # via typer
@@ -131,6 +140,8 @@ shellingham==1.5.4
     # via typer
 six==1.16.0
     # via python-dateutil
+smmap==5.0.1
+    # via gitdb
 sniffio==1.3.1
     # via
     #   anyio
@@ -147,6 +158,8 @@ starlette==0.40.0
     # via
     #   -r requirements/source/requirements-base.in
     #   fastapi
+trufflehog3==3.0.10
+    # via -r requirements/source/requirements-linting.in
 typer==0.12.5
     # via fastapi-cli
 typing-extensions==4.12.2

requirements/generated/requirements-linting.txt

@@ -42,6 +42,10 @@ fastapi[standard]==0.115.2
     #   sentry-sdk
 fastapi-cli[standard]==0.0.5
     # via fastapi
+gitdb==4.0.11
+    # via gitpython
+gitpython==3.1.0
+    # via trufflehog3
 greenlet==3.0.3
     # via sqlalchemy
 h11==0.14.0
@@ -101,6 +105,8 @@ sentry-sdk[fastapi]==2.11.0
     # via -r requirements/source/requirements-base.in
 shellingham==1.5.4
     # via typer
+smmap==5.0.1
+    # via gitdb
 sniffio==1.3.1
     # via
     #   anyio
@@ -117,6 +123,8 @@ starlette==0.40.0
     # via
     #   -r requirements/source/requirements-base.in
     #   fastapi
+trufflehog3==1.1.3
+    # via -r requirements/source/requirements-linting.in
 typer==0.12.5
     # via fastapi-cli
 typing-extensions==4.12.2

requirements/source/requirements-linting.in

@@ -1,2 +1,3 @@
 -r requirements-base.in
 ruff==0.6.2
+trufflehog3