diff --git a/docs/scanners/truffle_hog.md b/docs/scanners/truffle_hog.md index c5495996..e8f3b7a0 100644 --- a/docs/scanners/truffle_hog.md +++ b/docs/scanners/truffle_hog.md @@ -9,6 +9,9 @@ The following config options are available. ```yaml scanner_configs: Trufflehog: + exclude_files: # List of file paths to ignore + - env.json + - secrets.txt only-verified: false # Only output verified results. # true by default exceptions: # whitelist finding diff --git a/lib/salus/scanners/trufflehog.rb b/lib/salus/scanners/trufflehog.rb index 33d7e75f..817bf45a 100644 --- a/lib/salus/scanners/trufflehog.rb +++ b/lib/salus/scanners/trufflehog.rb @@ -7,6 +7,8 @@ module Salus::Scanners class Trufflehog < Base + FILTER_FILE = 'filter.txt'.freeze + def should_run? true end @@ -32,6 +34,20 @@ def command if @config['only-verified'].to_s == 'true' || @config['only-verified'].to_s == '' cmd += ' --only-verified' end + + # fetch exclusions + if @config.fetch('exclude_files', false) + exclusion_content = "" + exclusions = @config.fetch('exclude_files', []) + exclusions.each do |exclude| + exclusion_content += exclude + "\n" + end + File.open("#{@repository.path_to_repo}/#{FILTER_FILE}", "w") do |f| + f.write(exclusion_content) + end + cmd += ' -x ' + "#{@repository.path_to_repo}/#{FILTER_FILE}" + end + cmd end diff --git a/spec/fixtures/npm_audit/success_with_exceptions/salus-sarif.yaml b/spec/fixtures/npm_audit/success_with_exceptions/salus-sarif.yaml index 2a60ddca..04366100 100644 --- a/spec/fixtures/npm_audit/success_with_exceptions/salus-sarif.yaml +++ b/spec/fixtures/npm_audit/success_with_exceptions/salus-sarif.yaml @@ -20,4 +20,9 @@ scanner_configs: advisory_id: "1091018", changed_by: "joshua.ostrom", notes: "See https://www.npmjs.com/advisories/48. We're not vulnerable to this because this is a regex dos and we have nothing that puts user input into it. The impact is also minimal.", + } + - { + advisory_id: "1091497", + changed_by: "maitray.shah", + notes: "See https://www.npmjs.com/advisories/48. We're not vulnerable to this because this is a regex dos and we have nothing that puts user input into it. The impact is also minimal.", } \ No newline at end of file diff --git a/spec/fixtures/sarifs/diff/git_diff_yarn.txt b/spec/fixtures/sarifs/diff/git_diff_yarn.txt deleted file mode 100644 index 10815378..00000000 --- a/spec/fixtures/sarifs/diff/git_diff_yarn.txt +++ /dev/null @@ -1,36 +0,0 @@ -diff --git a/yarn.lock b/yarn.lock -index 06e7d3ba9ef..e3f8fbb5889 100644 ---- a/yarn.lock -+++ b/yarn.lock -@@ -10599,10 +10599,10 @@ base64-arraybuffer@^0.2.0: - resolved "https://registry-npm.com/base64-arraybuffer/-/base64-arraybuffer-0.2.0.tgz#4b944fac0191aa5907afe2d8c999ccc57ce80f45" - integrity sha512-7emyCsu1/xiBXgQZrscw/8KPRT44I4Yq9Pe6EGs3aPRTsWuggML1/1DTuZUuIaJPIm1FTDUVXl4x/yW8s0kQDQ== - --jspdf@2.5.1: -- version "2.5.1" -- resolved "https://registry.yarnpkg.com/jspdf/-/jspdf-2.5.1.tgz#00c85250abf5447a05f3b32ab9935ab4a56592cc" -- integrity sha512-hXObxz7ZqoyhxET78+XR34Xu2qFGrJJ2I2bE5w4SM8eFaFEkW2xcGRVUss360fYelwRSid/jT078kbNvmoW0QA== -+jspdf@2.3.1: -+ version "2.3.1" -+ resolved "https://registry-npm.com/jspdf/-/jspdf-2.3.1.tgz#313d117234b546469694a1fd81a1e02411647576" -+ integrity sha512-1vp0USP1mQi1h7NKpwxjFgQkJ5ncZvtH858aLpycUc/M+r/RpWJT8PixAU7Cw/3fPd4fpC8eB/Bj42LnsR21YQ== - dependencies: -- "@babel/runtime" "^7.14.0" - atob "^2.1.2" - btoa "^1.2.1" - fflate "^0.4.8" -@@ -31897,12 +31889,12 @@ text-encoding@0.7.0: - resolved "https://registry-npm.com/text-encoding/-/text-encoding-0.7.0.tgz#f895e836e45990624086601798ea98e8f36ee643" - integrity sha512-oJQ3f1hrOnbRLOcwKz0Liq2IcrvDeZRHXhd9RgLrsT+DjWY/nty1Hi7v3dtkaEYbPYe0mUoOfzRrMwfXXwgPUA== - --text-segmentation@^1.0.2, text-segmentation@^1.0.3: -- version "1.0.3" -- resolved "https://registry.yarnpkg.com/text-segmentation/-/text-segmentation-1.0.3.tgz#52a388159efffe746b24a63ba311b6ac9f2d7943" -- integrity sha512-iOiPUo/BGnZ6+54OsWxZidGCsdU8YbE4PSpdPinp7DeMtUJNJBoJ/ouUSTJjHkh1KntHaltHl/gDs2FC4i5+Nw== -+text-segmentation@^1.0.2: -+ version "1.0.2" -+ resolved "https://registry-npm.com/text-segmentation/-/text-segmentation-1.0.2.tgz#1f828fa14aa101c114ded1bda35ba7dcc17c9858" -+ integrity sha512-uTqvLxdBrVnx/CFQOtnf8tfzSXFm+1Qxau7Xi54j4OPTZokuDOX8qncQzrg2G8ZicAMOM8TgzFAYTb+AqNO4Cw== - dependencies: -- utrie "^1.0.2" -+ utrie "^1.0.1" diff --git a/spec/fixtures/secrets/salus.yaml b/spec/fixtures/secrets/salus.yaml new file mode 100644 index 00000000..11131e9a --- /dev/null +++ b/spec/fixtures/secrets/salus.yaml @@ -0,0 +1,7 @@ +scanner_configs: + Trufflehog: + exclude_files: # List of file paths to ignore + - url.txt + - logins.txt + only-verified: false # Only output verified results. + # true by default \ No newline at end of file diff --git a/spec/lib/salus/scanners/trufflehog_spec.rb b/spec/lib/salus/scanners/trufflehog_spec.rb index 364beea3..321d1d5b 100644 --- a/spec/lib/salus/scanners/trufflehog_spec.rb +++ b/spec/lib/salus/scanners/trufflehog_spec.rb @@ -126,6 +126,31 @@ expect(report_h[:info]).to eq({}) expect(report_h[:errors]).to eq([]) end + + it 'should honor exclude in the config to ignore findings and pass' do + repo = Salus::Repo.new('spec/fixtures/secrets') + config_data = YAML.load_file('spec/fixtures/secrets/salus.yaml') + + scanner = Salus::Scanners::Trufflehog.new(repository: repo, config: config_data) + scanner.run + + report_h = scanner.report.to_h + expect(report_h[:passed]).to eq(true) + expect(report_h[:logs]).to be_nil + expect(report_h[:warn]).to eq({}) + expect(report_h[:info]).to eq({}) + expect(report_h[:errors]).to eq([]) + end + + it 'should honor exclude in the config to ignore findings and fail' do + repo = Salus::Repo.new('spec/fixtures/secrets') + config = { "exclude_files" => ["url.txt"] } + scanner = Salus::Scanners::Trufflehog.new(repository: repo, config: config) + scanner.run + + report_h = scanner.report.to_h + expect(report_h[:passed]).to eq(false) + end end describe '#version_valid?' do