🍄 Replace gitleaks with trufflehog and runs it in global pre-push hoo…

…k 🐽 (#1013) * Replace gitleaks with trufflehog * Enable the trufflehog in pre-push hook. Intentionally avoided linting and pre-commit phase. * Add a shell alias as `hog`
kachick · Dec 31, 2024 · 6e6045d · 6e6045d
1 parent 05491e3
commit 6e6045d
Show file tree

Hide file tree

Showing 10 changed files with 42 additions and 52 deletions.
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
diff --git a/.github/workflows/scan-secrets.yml b/.github/workflows/scan-secrets.yml
@@ -0,0 +1,22 @@
+name: 🙈 # TODO: Extract into external repository might be reasonable for these public repositories
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  trufflehog: # 🍄 🐽
+    timeout-minutes: 15
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Getting all refs for git mode
+      - name: Secret Scanning
+        # Okay for using the latest since specified the CLI version below. Consider to pin with a tag if the project looks unstable
+        uses: trufflesecurity/trufflehog@e98dfa50f8f39c8197c55d4be05bc10c51f4e500 # main
+        with:
+          extra_args: --results=verified,unknown
+          version: '3.88.0' # selfup {"extract":"\\d[^']+","replacer":["bash", "-c", "trufflehog --version 2>&1"],"nth":2}
diff --git a/.gitleaks.toml b/.gitleaks.toml
diff --git a/cmd/deps/main.go b/cmd/deps/main.go
@@ -15,7 +15,7 @@ func main() {
 		{Path: "shellcheck", Args: []string{"--version"}},
 		{Path: "shfmt", Args: []string{"--version"}},
 		{Path: "typos", Args: []string{"--version"}},
-		{Path: "gitleaks", Args: []string{"version"}},
+		{Path: "trufflehog", Args: []string{"--version"}},
 		{Path: "stylua", Args: []string{"--version"}},
 		{Path: "nixpkgs-lint", Args: []string{"--version"}},
 		{Path: "goreleaser", Args: []string{"--version"}},

diff --git a/cmd/lint/main.go b/cmd/lint/main.go
@@ -20,11 +20,10 @@ func main() {
 	bashPaths := walker.GetAllBash()
 	markdownPaths := walker.GetAllMarkdown()
 
+	// Don't add secrets scanner here. It should be done in pre-push hook now.
 	cmds := runner.Commands{
 		{Path: "shellcheck", Args: bashPaths},
 		{Path: "typos", Args: constants.GetTyposTargetedRoots()},
-		// No git makes 4x+ faster
-		{Path: "gitleaks", Args: []string{"dir", "."}},
 		{Path: "go", Args: []string{"vet", "./..."}},
 		{Path: "nixpkgs-lint", Args: []string{"."}},
 		{Path: "markdownlint-cli2", Args: markdownPaths},

diff --git a/flake.nix b/flake.nix
@@ -103,7 +103,6 @@
               (with pkgs; [
                 # https://github.com/NixOS/nix/issues/730#issuecomment-162323824
                 bashInteractive
-                gitleaks
                 cargo-make
               ])
               ++ (pkgs.lib.optionals pkgs.stdenv.isLinux (
@@ -133,6 +132,7 @@
                   (ruby_3_4.withPackages (ps: with ps; [ rubocop ]))
                 ])
                 ++ (with pkgs.unstable; [
+                  trufflehog
                   # https://github.com/NixOS/nixpkgs/pull/362139
                   dprint
                 ])

diff --git a/home-manager/common.nix b/home-manager/common.nix
@@ -85,6 +85,9 @@
 
       # https://github.com/NixOS/nixpkgs/pull/344193
       "zed" = "zeditor";
+
+      # I can't remember the spells...
+      "hog" = "trufflehog";
     };
   };
 

diff --git a/home-manager/packages.nix b/home-manager/packages.nix
@@ -81,7 +81,7 @@
   riffdiff # `riff`
   gnumake
   go-task # Installing for enabling shell completion easy
-  gitleaks
+  unstable.trufflehog
   ruby_3_4
   _7zz # `7zz` - 7zip. Command is not 7zip.
 

diff --git a/pkgs/git-hooks-pre-push/package.nix b/pkgs/git-hooks-pre-push/package.nix
@@ -2,10 +2,11 @@
 pkgs.writeShellApplication rec {
   name = "pre-push";
   text = builtins.readFile ./${name}.bash;
-  meta.description = "#540";
+  meta.description = "GH-540 and GH-699";
   runtimeInputs = with pkgs; [
     typos
     coreutils # `basename`
+    unstable.trufflehog
     my.run_local_hook
   ];
   runtimeEnv = {

diff --git a/pkgs/git-hooks-pre-push/pre-push.bash b/pkgs/git-hooks-pre-push/pre-push.bash
@@ -1,5 +1,15 @@
+# Avoiding -o error: https://stackoverflow.com/a/7832158
+# This is an escape hatch for large repository
+DO_HOOK=${RUN_GITHOOK_HOG:-true}
+
 # list of arguments: https://git-scm.com/docs/githooks#_pre_push
-while read -r _local_ref _local_oid remote_ref _remote_oid; do
+while read -r local_ref _local_oid remote_ref _remote_oid; do
+	# - trufflehog pre-commit hook having crucial limitations. https://github.com/trufflesecurity/trufflehog/blob/v3.88.0/README.md?plain=1#L628-L629
+	# - Adding `--since-commit main` made 10x slower... :<
+	if [[ "$DO_HOOK" != "false" ]]; then
+		trufflehog git "file://${PWD}" --results='verified,unknown' --branch "$local_ref" --fail
+	fi
+
 	# Git ref is not a file path, but avoiding a typos bug for slash
 	# https://github.com/crate-ci/typos/issues/758
 	basename "$remote_ref" | typos --config "$TYPOS_CONFIG_PATH" -