wrap trufflehog and add 'write to file' entrypoint'

northdpole · northdpole · commit 8694b58e9aef · 2025-04-07T19:12:38.000+01:00
diff --git a/components/scanners/trufflehog/README.md b/components/scanners/trufflehog/README.md
@@ -19,26 +19,8 @@ as the following:
 |--------------------------|--------|----------|------------|---------------------------------------------------------|
 | TRUFFLEHOG\_RAW\_OUT\_FILE\_PATH  | string | yes      | -          | The path where to find the trufflehog report                 |
 | TRUFFLEHOG\_TARGET\_TYPE         | string | false    | repository | The type of target that was used to generate the report |
+| RAW\_OUT\_FILE  | string | yes | "{{ scratchWorkspace }}/trufflehog.json" | The path where to put the trufflehog report
 
 ## Test data
 
 The `trufflehog.json` file used in tests was generated with the following steps:
-
-* Cloning:
-
-```shell
-git clone https://github.com/smithy-security/e2e-monorepo
-```
-
-* Running trufflehog
-
-```shell
-docker run \
-    --rm -it -v "$PWD:/pwd" \
-     trufflesecurity/trufflehog:latest \
-     filesystem --json \
-     --no-fail \
-     --no-update \
-     --log-level=-1 \
-     --directory="/pwd"
-```
diff --git a/components/scanners/trufflehog/component.yaml b/components/scanners/trufflehog/component.yaml
@@ -6,6 +6,16 @@ parameters:
     type: "string"
     value: "TARGET_TYPE_REPOSITORY"
 steps:
+  - name: "run-trufflehog"
+    image:  "components/scanners/trufflehog/scanner"
+    executable: /smithy_entrypoint.sh
+    env_vars:
+      RAW_OUT_FILE: "{{ scratchWorkspace }}/trufflehog.json"
+    args:
+      - filesystem
+      - --json
+      - --no-fail
+      - --directory="{{sourceCodeWorkspace}}"
   - name: "secret-scanner"
     image: "components/scanners/trufflehog"
     executable: "/bin/app"
diff --git a/components/scanners/trufflehog/scanner/Dockerfile b/components/scanners/trufflehog/scanner/Dockerfile
@@ -0,0 +1,5 @@
+FROM ghcr.io/trufflesecurity/trufflehog:3.88.23
+
+COPY smithy_entrypoint.sh /smithy_entrypoint.sh
+RUN chmod +x /smithy_entrypoint.sh
+ENTRYPOINT [ "/smithy_entrypoint.sh" ]
diff --git a/components/scanners/trufflehog/scanner/Makefile b/components/scanners/trufflehog/scanner/Makefile
@@ -0,0 +1,13 @@
+.PHONY: image
+
+BUILD_ARCHITECTURE=
+COMPONENT_REGISTRY=
+COMPONENT_REPOSITORY=
+COMPONENT_TAG=
+BUILD_LABELS=
+
+image:
+	docker build $$([ "${BUILD_ARCHITECTURE}" != "" ] && echo "--platform=${BUILD_ARCHITECTURE}" ) \
+				 --label "$(BUILD_LABELS)" \
+				 --tag $(COMPONENT_REGISTRY)/$(COMPONENT_REPOSITORY):$(COMPONENT_TAG) \
+				 --file Dockerfile .
diff --git a/components/scanners/trufflehog/scanner/smithy_entrypoint.sh b/components/scanners/trufflehog/scanner/smithy_entrypoint.sh
@@ -0,0 +1,5 @@
+#! /bin/sh
+set -xe
+
+echo "Running trufflehog with args {$@} sending output to ${RAW_OUT_FILE}" 
+/etc/entrypoint.sh $@ | tee ${RAW_OUT_FILE}
diff --git a/examples/trufflehog/overrides.yaml b/examples/trufflehog/overrides.yaml
@@ -0,0 +1,4 @@
+git-clone:
+- name: "repo_url"
+  type: "string"
+  value: "https://github.com/OWASP/igoat"
diff --git a/examples/trufflehog/workflow.yaml b/examples/trufflehog/workflow.yaml
@@ -0,0 +1,7 @@
+description: Trufflehog based workflow
+name: trufflehog
+components:
+- component: file://components/targets/git-clone/component.yaml
+- component: file://components/scanners/trufflehog/component.yaml
+- component: file://components/enrichers/custom-annotation/component.yaml
+- component: file://components/reporters/json-logger/component.yaml
