coinbase · maitrayshah-cb · Mar 28, 2023 · Mar 28, 2023 · Mar 29, 2023 · Mar 29, 2023
diff --git a/docs/scanners/truffle_hog.md b/docs/scanners/truffle_hog.md
@@ -9,6 +9,9 @@ The following config options are available.
 ```yaml
 scanner_configs:
   Trufflehog:
+    exclude_files: # List of file paths to ignore
+      - env.json 
+      - secrets.txt
     only-verified: false  # Only output verified results.
                           # true by default
     exceptions:  # whitelist finding

diff --git a/lib/salus/scanners/trufflehog.rb b/lib/salus/scanners/trufflehog.rb
@@ -7,6 +7,8 @@
 
 module Salus::Scanners
   class Trufflehog < Base
+    FILTER_FILE = 'filter.txt'.freeze
+
     def should_run?
       true
     end
@@ -32,6 +34,20 @@ def command
       if @config['only-verified'].to_s == 'true' || @config['only-verified'].to_s == ''
         cmd += ' --only-verified'
       end
+
+      # fetch exclusions
+      if @config.fetch('exclude_files', false)
+        exclusion_content = ""
+        exclusions = @config.fetch('exclude_files', [])
+        exclusions.each do |exclude|
+          exclusion_content += exclude + "\n"
+        end
+        File.open("#{@repository.path_to_repo}/#{FILTER_FILE}", "w") do |f|
+          f.write(exclusion_content)
+        end
+        cmd += ' -x ' + "#{@repository.path_to_repo}/#{FILTER_FILE}"
+      end
+
       cmd
     end
 

diff --git a/spec/fixtures/npm_audit/success_with_exceptions/salus-sarif.yaml b/spec/fixtures/npm_audit/success_with_exceptions/salus-sarif.yaml
@@ -20,4 +20,9 @@ scanner_configs:
                 advisory_id: "1091018",
                 changed_by: "joshua.ostrom",
                 notes: "See https://www.npmjs.com/advisories/48. We're not vulnerable to this because this is a regex dos and we have nothing that puts user input into it. The impact is also minimal.",
+              }
+            - {
+                advisory_id: "1091497",
+                changed_by: "maitray.shah",
+                notes: "See https://www.npmjs.com/advisories/48. We're not vulnerable to this because this is a regex dos and we have nothing that puts user input into it. The impact is also minimal.",
               }
diff --git a/spec/fixtures/sarifs/diff/git_diff_yarn.txt b/spec/fixtures/sarifs/diff/git_diff_yarn.txt
diff --git a/spec/fixtures/secrets/salus.yaml b/spec/fixtures/secrets/salus.yaml
@@ -0,0 +1,7 @@
+scanner_configs:
+  Trufflehog:
+    exclude_files: # List of file paths to ignore
+      - url.txt
+      - logins.txt
+    only-verified: false  # Only output verified results.
+                          # true by default
diff --git a/spec/lib/salus/scanners/trufflehog_spec.rb b/spec/lib/salus/scanners/trufflehog_spec.rb
@@ -126,6 +126,31 @@
       expect(report_h[:info]).to eq({})
       expect(report_h[:errors]).to eq([])
     end
+
+    it 'should honor exclude in the config to ignore findings and pass' do
+      repo = Salus::Repo.new('spec/fixtures/secrets')
+      config_data = YAML.load_file('spec/fixtures/secrets/salus.yaml')
+
+      scanner = Salus::Scanners::Trufflehog.new(repository: repo, config: config_data)
+      scanner.run
+
+      report_h = scanner.report.to_h
+      expect(report_h[:passed]).to eq(true)
+      expect(report_h[:logs]).to be_nil
+      expect(report_h[:warn]).to eq({})
+      expect(report_h[:info]).to eq({})
+      expect(report_h[:errors]).to eq([])
+    end
+
+    it 'should honor exclude in the config to ignore findings and fail' do
+      repo = Salus::Repo.new('spec/fixtures/secrets')
+      config = { "exclude_files" => ["url.txt"] }
+      scanner = Salus::Scanners::Trufflehog.new(repository: repo, config: config)
+      scanner.run
+
+      report_h = scanner.report.to_h
+      expect(report_h[:passed]).to eq(false)
+    end
   end
 
   describe '#version_valid?' do