diff --git a/.github/workflows/dive-evidence-example.yml b/.github/workflows/dive-evidence-example.yml new file mode 100644 index 0000000..578612a --- /dev/null +++ b/.github/workflows/dive-evidence-example.yml @@ -0,0 +1,60 @@ +name: Dive Image Analysis with JFrog Evidence +on: + workflow_dispatch: + +permissions: + id-token: write + contents: read + +jobs: + dive-with-evidence: + runs-on: ubuntu-latest + env: + REGISTRY_DOMAIN: ${{ vars.JF_URL }} + REPO_NAME: 'docker-dive-repo' + IMAGE_NAME: 'docker-dive-image' + VERSION: ${{ github.run_number }} + BUILD_NAME: 'dive-docker-build' + ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE: true + + steps: + # Build and publish the packages to JFrog Artifactory + - name: Setup jfrog cli + uses: jfrog/setup-jfrog-cli@v4 + env: + JF_URL: ${{ vars.ARTIFACTORY_URL }} + JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} + - name: Checkout repository + uses: actions/checkout@v4 + - name: Build and publish Docker Image to Artifactory + run: | + docker build . --file ./examples/dive/Dockerfile --tag $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION + jf rt docker-push $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION $REPO_NAME --build-name=$BUILD_NAME --build-number=${{ github.run_number }} + + # Fetch Dive Analysis + - name: Run Dive analysis + run: | + docker run -i --rm -e CI=true \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v $(pwd):/output docker.io/wagoodman/dive \ + $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION \ + --json /output/dive.json + + # This is an optional step to generate a custom markdown report + - name: Generate optional custom markdown report + if: env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true' + run: | + python ./examples/dive/dive_json_to_md.py dive.json + + # Attaching the evidence to associated package + - name: Attach evidence using jfrog cli + run: | + jf evd create \ + --package-name $IMAGE_NAME \ + --package-version $VERSION \ + --package-repo-name $REPO_NAME \ + --key "${{ secrets.PRIVATE_KEY }}" \ + --key-alias "${{ vars.EVIDENCE_KEY_ALIAS }}" \ + --predicate ./dive.json \ + --predicate-type dive/docker-size-scan/v1 \ + ${{ env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true' && '--markdown "dive-analysis.md"' || '' }} diff --git a/.github/workflows/trufflehog-evidence-example.yml b/.github/workflows/trufflehog-evidence-example.yml new file mode 100644 index 0000000..a558704 --- /dev/null +++ b/.github/workflows/trufflehog-evidence-example.yml @@ -0,0 +1,68 @@ +name: "Trufflehog evidence integration example" +on: + workflow_dispatch: + +permissions: + id-token: write + contents: read + +jobs: + trufflehog-secret-scan-and-evidence: + runs-on: ubuntu-latest + env: + REGISTRY_DOMAIN: ${{ vars.JF_URL }} + REPO_NAME: 'trufflehog-repo' + IMAGE_NAME: 'docker-trufflehog-image' + VERSION: ${{ github.run_number }} + BUILD_NAME: 'trufflehog-build' + ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE: true + + steps: + # Setup JFrog CLI and checkout repository + - name: Setup jfrog cli + uses: jfrog/setup-jfrog-cli@v4 + env: + JF_URL: ${{ vars.ARTIFACTORY_URL }} + JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} + - name: Checkout repository + uses: actions/checkout@v4 + with: + sparse-checkout: | + examples/trufflehog/** + sparse-checkout-cone-mode: false + - name: Build and publish Docker Image to Artifactory + run: | + cd examples/trufflehog + docker build . --file Dockerfile --tag $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION + jf rt docker-push $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION $REPO_NAME --build-name=$BUILD_NAME --build-number=${{ github.run_number }} + cd - + + # Run Trufflehog secret scan + - name: Run Trufflehog secret scan + run: | + echo "Running Trufflehog secret scan..." + docker run --rm -v "$PWD:/pwd" trufflesecurity/trufflehog:latest filesystem /pwd --json > trufflehog-results.jsonl || true + echo "Trufflehog scan completed" + + # This is an optional step to generate a custom markdown report + - name: Generate optional custom markdown report + if: env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true' + run: | + python ./examples/trufflehog/process_trufflehog_results.py trufflehog-results.jsonl + + # Attaching the evidence to associated package + - name: Attach evidence using jfrog cli + run: | + ls + python ./examples/trufflehog/jsonl_to_json_converted.py + jf evd create \ + --package-name $IMAGE_NAME \ + --package-version $VERSION \ + --package-repo-name $REPO_NAME \ + --key "${{ secrets.PRIVATE_KEY }}" \ + --key-alias "${{ vars.EVIDENCE_KEY_ALIAS }}" \ + --predicate ./trufflehog.json \ + --predicate-type https://trufflesecurity.com/TruffleHog \ + ${{ env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true' && '--markdown "report_readme.md"' || '' }} + echo "Evidence attachment completed successfully" + \ No newline at end of file diff --git a/examples/dive/.dive-ci.yml b/examples/dive/.dive-ci.yml new file mode 100644 index 0000000..4d01f2b --- /dev/null +++ b/examples/dive/.dive-ci.yml @@ -0,0 +1,4 @@ +rules: + lowestEfficiency: 0.95 + highestWastedBytes: 20Mb + highestUserWastedPercent: 0.5 diff --git a/examples/dive/Dockerfile b/examples/dive/Dockerfile new file mode 100644 index 0000000..7522cc3 --- /dev/null +++ b/examples/dive/Dockerfile @@ -0,0 +1,10 @@ +# Use the official lightweight Python image +FROM python:3.9-slim + +# Set the working directory +WORKDIR /app + +# Add a simple script that prints a message +RUN echo 'print("Hello from Docker!")' > hello.py + +CMD ["python", "hello.py"] \ No newline at end of file diff --git a/examples/dive/README.md b/examples/dive/README.md new file mode 100644 index 0000000..b1ce65f --- /dev/null +++ b/examples/dive/README.md @@ -0,0 +1,152 @@ +# **Dive Image Analysis Evidence Example** + +This repository provides a working example of a GitHub Actions workflow that automates Docker image analysis using **Dive**. It then attaches the resulting analysis report as signed, verifiable evidence to the package in **JFrog Artifactory**. + +This workflow is an essential pattern for DevSecOps, creating a traceable, compliant, and efficient software supply chain. + +### **Key Features** + +* **Automated Build & Push**: Builds a Docker image from a Dockerfile. +* **Image Analysis**: Uses Dive to analyze the image for inefficiencies. +* **Evidence Generation**: Creates a dive.json predicate file. +* **Optional Markdown Report**: Includes a helper script to generate a human-readable Markdown summary from the Dive JSON results. +* **Signed Evidence Attachment**: Attaches the analysis results to the corresponding package version in Artifactory using jf evd create, cryptographically signing it for integrity. + +### **Workflow** + +The following diagram illustrates the sequence of operations performed by the GitHub Actions workflow. + +```mermaid +graph TD + A[Workflow Dispatch Trigger] --> B[Setup JFrog CLI] + B --> C[Checkout Repository] + C --> D[Build and Push Docker Image to Artifactory] + D --> E[Run Dive Analysis] + E --> F{Generate Markdown?} + F -->|Yes| G[Generate Markdown Report] + F -->|No| H[Skip Markdown Generation] + G --> I[Attach Evidence to Package] + H --> I +``` + +--- + +### **1\. Prerequisites** + +Before running this workflow, you must have: + +* JFrog CLI 2.65.0 or above (installed automatically in the workflow) +* An Artifactory repository of type docker (e.g., docker-dive-repo). +* A private key and a corresponding key alias configured in your JFrog Platform for signing evidence. +* The following GitHub repository variables: + * `REGISTRY_DOMAIN` (Artifactory Docker registry domain, e.g. `mycompany.jfrog.io`) + * `EVIDENCE_KEY_ALIAS` (Key alias for signing evidence) +* The following GitHub repository secrets: + * `ARTIFACTORY_ACCESS_TOKEN` (Artifactory access token) + * `PRIVATE_KEY` (Private key for signing evidence) + +### Environment Variables Used + +* `REGISTRY_DOMAIN` \- Docker registry domain + +### **2\. Configuration** + +To use this workflow, you must configure the following GitHub Repository Secrets and Variables. + +#### **GitHub Secrets** + +Navigate to Settings \> Secrets and variables \> Actions and create the following secrets: + +| Secret Name | Description | +| :---- | :---- | +| ARTIFACTORY_ACCESS_TOKEN | A valid JFrog Access Token with permissions to read, write, and annotate in your target repository. | +| PRIVATE_KEY | The private key used to sign the evidence. This key corresponds to the alias configured in JFrog Platform. | + +#### **GitHub Variables** + +Navigate to Settings \> Secrets and variables \> Actions and create the following variables: + +| Variable Name | Description | Example Value | +| :---- | :---- | :---- | +| JF_URL | The base URL of your JFrog Platform instance. | https://mycompany.jfrog.io | +| EVIDENCE_KEY_ALIAS | The alias for the public key in JFrog Platform used to verify the evidence signature. | my-signing-key-alias | + +#### **Workflow Environment Variables** + +You can also customize the workflow's behavior by modifying the env block in the .github/workflows/dive-evidence-example.yml file: + +| Variable Name | Description | Default Value | +| :---- | :---- | :---- | +| DOCKERFILE_PATH | The path to the Dockerfile in your repository. | ./Dockerfile | +| IMAGE_NAME | The name of the Docker image to be built. | my-dive-image | +| IMAGE_TAG | The tag for the Docker image. | latest | +| REGISTRY_REPO | The Artifactory repository to which the image will be pushed. | docker-dive-repo | +| DIVE_OPTIONS | Additional options for the Dive command. | --ignore-unpackaged | + +--- + +### **3\. Usage** + +This workflow is triggered manually. + +1. Navigate to the **Actions** tab of your forked repository. +2. In the left sidebar, click on the **Dive evidence integration example** workflow. +3. Click the **Run workflow** dropdown button. You can leave the default branch selected. +4. Click the green **Run workflow** button. + +Once the workflow completes successfully, you can navigate to your repository in Artifactory (docker-dive-repo) and view the docker-dive-image. Under the **Evidence** tab for the latest version, you will find the signed Dive analysis results. + +--- + +### **How It Works: A Step-by-Step Breakdown** + +1. **Setup and Checkout**: The workflow begins by setting up the JFrog CLI and checking out the repository code. +2. **Build and Publish Docker Image**: It uses standard docker commands to build an image. The `jf rt docker-push` command then pushes this image to your Artifactory instance and associates it with build information using `jf rt build-publish`. +3. **Run Dive Analysis**: The Dive tool is executed against the newly pushed image. It analyzes the image for inefficiencies and outputs the findings into a structured `dive.json` file. +4. **Generate Optional Markdown Report**: If `ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE` is true, a Python helper script is run to parse the JSON output and create a more human-readable `dive-analysis.md` file. +5. **Attach Signed Evidence**: The final step uses the `jf evd create` command. It takes the `dive.json` file as the official "predicate" and attaches it as evidence to the specific package version in Artifactory. The evidence is signed using the provided `PRIVATE_KEY`, ensuring its authenticity and integrity. + +--- + +### **Key Commands Used** + +* **Build Docker Image:** + +``` +docker build . --file ./examples/dive/Dockerfile --tag $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION +``` + +* **Run Dive Analysis:** + +``` +docker run -it --rm -e CI=true \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v $(pwd):/output docker.io/wagoodman/dive \ + $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION \ + --json /output/dive.json +``` + +* **Push Docker Image:** + +``` +jf rt docker-push $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION $REPO_NAME --build-name=$BUILD_NAME --build-number=${{ github.run_number }} +``` + +* **Attach Evidence:** + +``` +jf evd create \ + --package-name $IMAGE_NAME \ + --package-version $VERSION \ + --package-repo-name $REPO_NAME \ + --key "${{ secrets.PRIVATE_KEY }}" \ + --key-alias "${{ vars.EVIDENCE_KEY_ALIAS }}" \ + --predicate ./dive.json \ + --predicate-type dive/docker-size-scan/v1 +``` + +### **References** + +* [Dive Documentation](https://github.com/wagoodman/dive) +* [JFrog Evidence Management](https://jfrog.com/help/r/jfrog-artifactory-documentation/evidence-management) +* [JFrog CLI Documentation](https://jfrog.com/getcli/) diff --git a/examples/dive/dive_json_to_md.py b/examples/dive/dive_json_to_md.py new file mode 100644 index 0000000..b687696 --- /dev/null +++ b/examples/dive/dive_json_to_md.py @@ -0,0 +1,61 @@ +import json +import sys + +def generate_markdown_report(dive_output): + image_info = dive_output.get('image', {}) + + size_bytes = image_info.get('sizeBytes', 'N/A') + inefficient_bytes = image_info.get('inefficientBytes', 'N/A') + efficiency_score = image_info.get('efficiencyScore', 'N/A') + + markdown_report = f""" +## Dive Analysis Report + +**Image Size:** `{size_bytes} bytes` + +**Inefficient Bytes:** `{inefficient_bytes} bytes` + +**Efficiency Score:** `{efficiency_score}` + +--- +### File References +This section lists the files contributing to inefficiencies in the image. + +| File Path | Count | Size (Bytes) | +| :-------- | :---- | :----------- | +""" + + file_references = image_info.get('fileReference', []) + for file_ref in file_references: + file_path = file_ref.get('file', 'N/A') + count = file_ref.get('count', 'N/A') + size = file_ref.get('sizeBytes', 'N/A') + markdown_report += f"| {file_path} | {count} | {size} |\n" + + markdown_report += "\n---" + return markdown_report + +def main(input_file): + # Read JSON input from a file + with open(input_file, 'r') as file: + dive_output = json.load(file) + + # Generate the Markdown report + markdown_report = generate_markdown_report(dive_output) + + # Define the output file path + output_file = 'dive-analysis.md' + + # Write the Markdown report to a file + with open(output_file, 'w') as file: + file.write(markdown_report) + + print(f"Markdown report generated successfully and saved to {output_file}!") + +if __name__ == '__main__': + if len(sys.argv) != 2: + print("Usage: python dive_json_to_md.py ") + sys.exit(1) + + input_file = sys.argv[1] + main(input_file) diff --git a/examples/trufflehog/Dockerfile b/examples/trufflehog/Dockerfile new file mode 100644 index 0000000..cf407d3 --- /dev/null +++ b/examples/trufflehog/Dockerfile @@ -0,0 +1,8 @@ +FROM alpine:latest + +WORKDIR /app + +# Copy the setting file into the Docker image +COPY vulnerable_setting /app/vulnerable_setting + +CMD ["cat", "/app/vulnerable_setting"] \ No newline at end of file diff --git a/examples/trufflehog/README.md b/examples/trufflehog/README.md new file mode 100644 index 0000000..6368b04 --- /dev/null +++ b/examples/trufflehog/README.md @@ -0,0 +1,136 @@ +# **Trufflehog Secret Scan Evidence Example** + +This repository provides a working example of a GitHub Actions workflow that automates secret scanning using **Trufflehog**. It then attaches the resulting secret detection report as signed, verifiable evidence to the package in **JFrog Artifactory**. + +This workflow is an essential pattern for DevSecOps, creating a traceable, compliant, and secure software supply chain by detecting and documenting potential secrets in your codebase. + +### **Key Features** + +* **Automated Secret Scanning**: Uses Trufflehog to scan the repository for potential secrets and sensitive information. +* **Comprehensive Detection**: Scans for various types of secrets including API keys, passwords, tokens, and other sensitive data. +* **Evidence Generation**: Creates a structured predicate file from Trufflehog scan results. +* **Optional Markdown Report**: Includes a helper script to generate a human-readable Markdown summary from the Trufflehog JSON results. +* **Signed Evidence Attachment**: Attaches the scan results to the corresponding package version in Artifactory using jf evd create, cryptographically signing it for integrity. +* **Trufflehog**: [what Trufflehog can detect](https://github.com/trufflesecurity/trufflehog) + +### **Workflow** + +The following diagram illustrates the sequence of operations performed by the GitHub Actions workflow. + +```mermaid +graph TD + A[Workflow Dispatch Trigger] --> B[Setup JFrog CLI] + B --> C[Checkout Repository with Sparse Checkout] + C --> D[Build and Publish Docker Image to Artifactory] + D --> E[Run Trufflehog Secret Scan] + E --> F{ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE?} + F -->|true| G[Generate Custom Markdown Report] + F -->|false| H[Skip Markdown Report Generation] + G --> I[Attach Evidence to Package with jf evd create] + H --> I[Attach Evidence to Package with jf evd create] + I --> J[Evidence Signed and Stored in JFrog Platform] +``` + +--- + +### **1\. Prerequisites** + +Before running this workflow, you must have: + +* JFrog CLI 2.65.0 or above (installed automatically in the workflow) +* An Artifactory repository configured for your project. +* A private key and a corresponding key alias configured in your JFrog Platform for signing evidence. +* The following GitHub repository variables: + * `JF_URL` (JFrog Platform base URL, e.g. `https://mycompany.jfrog.io`) + * `JF_SIGNING_KEY_ALIAS` (Key alias for signing evidence) +* The following GitHub repository secrets: + * `JF_ACCESS_TOKEN` (JFrog access token with evidence upload permissions) + * `JF_PRIVATE_KEY` (Private key for signing evidence) + +### Environment Variables Used + +* `ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE` - Controls whether to generate and attach a Markdown report + +### **2\. Configuration** + +To use this workflow, you must configure the following GitHub Repository Secrets and Variables. + +#### **GitHub Secrets** + +Navigate to Settings \> Secrets and variables \> Actions and create the following secrets: + +| Secret Name | Description | +| :---- | :---- | +| JF_ACCESS_TOKEN | A valid JFrog Access Token with permissions to read, write, and annotate in your target repository. | +| JF_PRIVATE_KEY | The private key used to sign the evidence. This key corresponds to the alias configured in JFrog Platform. | + +#### **GitHub Variables** + +Navigate to Settings \> Secrets and variables \> Actions and create the following variables: + +| Variable Name | Description | Example Value | +| :---- | :---- | :---- | +| JF_URL | The base URL of your JFrog Platform instance. | https://mycompany.jfrog.io | +| JF_SIGNING_KEY_ALIAS | The alias for the public key in JFrog Platform used to verify the evidence signature. | my-signing-key-alias | + +#### **Workflow Environment Variables** + +You can also customize the workflow's behavior by modifying the env block in the .github/workflows/trufflehog-evidence-example.yml file: + +| Variable Name | Description | Default Value | +| :---- | :---- | :---- | +| ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE | Set to true to generate and attach a Markdown report alongside the JSON evidence. Set to false to skip this step. | true | + +--- + +### **3\. Usage** + +This workflow is triggered manually. + +1. Navigate to the **Actions** tab of your forked repository. +2. In the left sidebar, click on the **Trufflehog Scan and JFrog Evidence** workflow. +3. Click the **Run workflow** dropdown button. You can leave the default branch selected. +4. Click the green **Run workflow** button. + +Once the workflow completes successfully, you can navigate to your repository in Artifactory and view the evidence. Under the **Evidence** tab for the latest version, you will find the signed Trufflehog scan results. + +### **How It Works: A Step-by-Step Breakdown** + +1. **Setup and Checkout**: The workflow begins by setting up the JFrog CLI and checking out the repository code using sparse checkout to focus on the trufflehog example directory. +2. **Run Trufflehog Secret Scan**: Uses Docker to run Trufflehog against the repository, scanning for potential secrets and sensitive information. The scan outputs results in JSON format. +3. **Process Scan Results**: A Python helper script (`process_trufflehog_results.py`) parses the Trufflehog JSON output and generates a structured predicate file suitable for JFrog Evidence. +4. **Generate Optional Markdown Report**: If ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE is true, the Python script creates a human-readable Markdown report summarizing the findings. +5. **Attach Signed Evidence**: The final step uses the jf evd create command to attach the scan results as evidence to the specific package version in Artifactory. The evidence is signed using the provided private key, ensuring its authenticity and integrity. + +### **Key Commands Used** + +* **Run Trufflehog Scan:** + +```bash +docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest filesystem /pwd --json +``` + +* **Process Results:** + +```bash +python process_trufflehog_results.py trufflehog-results.json +``` + +* **Attach Evidence:** + +```bash +jf evd create \ + --package-name your-package-name \ + --package-version your-version \ + --package-repo-name your-repo-name \ + --key "${{ secrets.JF_PRIVATE_KEY }}" \ + --key-alias ${{ vars.JF_SIGNING_KEY_ALIAS }} \ + --predicate ./trufflehog-evidence.json \ + --predicate-type http://trufflesecurity.com/trufflehog/secret-scan +``` + +### **References** + +* [Trufflehog Documentation](https://github.com/trufflesecurity/trufflehog) +* [JFrog Evidence Management](https://jfrog.com/help/r/jfrog-artifactory-documentation/evidence-management) +* [JFrog CLI Documentation](https://jfrog.com/getcli/) \ No newline at end of file diff --git a/examples/trufflehog/jsonl_to_json_converted.py b/examples/trufflehog/jsonl_to_json_converted.py new file mode 100644 index 0000000..605a69d --- /dev/null +++ b/examples/trufflehog/jsonl_to_json_converted.py @@ -0,0 +1,23 @@ +import json + +# Input and output file paths +input_file = "trufflehog-results.jsonl" +output_file = "trufflehog.json" + +# Read the JSONL file and convert it to a list of JSON objects +with open(input_file, "r") as infile: + data = [json.loads(line) for line in infile] + +# Wrap the data in a dictionary with the key "data" +output_data = {"data": data} + +# Write the output to a JSON file with proper formatting +with open(output_file, "w") as outfile: + outfile.write('{\n "data": [\n') + for i, item in enumerate(data): + json.dump(item, outfile, indent=4) + if i < len(data) - 1: + outfile.write(',\n') + outfile.write('\n ]\n}') + +print(f"Converted {input_file} to {output_file}") \ No newline at end of file diff --git a/examples/trufflehog/process_trufflehog_results.py b/examples/trufflehog/process_trufflehog_results.py new file mode 100644 index 0000000..f1a0759 --- /dev/null +++ b/examples/trufflehog/process_trufflehog_results.py @@ -0,0 +1,77 @@ +import json +import sys + +def generate_markdown_report(report): + source_name = report.get('SourceName', 'N/A') + detector_name = report.get('DetectorName', None) + if not detector_name: + return None # Skip entries without 'DetectorName' + + detector_description = report.get('DetectorDescription', 'N/A') + verified = report.get('Verified', False) + raw = report.get('Raw', 'N/A') + redacted = report.get('Redacted', 'N/A') + + extra_data = report.get('ExtraData', {}) + account = extra_data.get('account', 'N/A') + arn = extra_data.get('arn', 'N/A') + is_canary = extra_data.get('is_canary', 'N/A') + message = extra_data.get('message', 'N/A') + resource_type = extra_data.get('resource_type', 'N/A') + + markdown_report = f""" +## Report Overview: {source_name} + +**Source Name:** `{source_name}` + +**Detector Name:** `{detector_name}` + +**Detector Description:** `{detector_description}` + +**Verified:** `{verified}` + +**Raw Data:** `{raw}` + +**Redacted Data:** `{redacted}` + +--- +### Extra Data +| Key | Value | +| :------------ | :------------ | +| Account | {account} | +| ARN | {arn} | +| Is Canary | {is_canary} | +| Message | {message} | +| Resource Type | {resource_type} | +--- +""" + return markdown_report + +def main(input_file): + # Read JSONL input from a file + with open(input_file, 'r') as file: + lines = file.readlines() + + markdown_reports = [] + for line in lines: + report = json.loads(line) + markdown_report = generate_markdown_report(report) + if markdown_report: + markdown_reports.append(markdown_report) + + # Define the output file path + output_file = 'report_readme.md' + + # Write the Markdown reports to a file + with open(output_file, 'w') as file: + file.write("\n\n".join(markdown_reports)) + + print(f"Markdown README generated successfully and saved to {output_file}!") + +if __name__ == '__main__': + if len(sys.argv) != 2: + print("Usage: python process_trufflehog_results.py ") + sys.exit(1) + + input_file = sys.argv[1] + main(input_file) diff --git a/examples/trufflehog/vulnerable_setting b/examples/trufflehog/vulnerable_setting new file mode 100644 index 0000000..3891b66 --- /dev/null +++ b/examples/trufflehog/vulnerable_setting @@ -0,0 +1,5 @@ +[default] +aws_access_key_id = AKIAQYLPMN5HHHFPZAM2 +aws_secret_access_key = 1tUm636uS1yOEcfP5pvfqJ/ml36mF7AkyHsEU0IU +output = json +region = us-east-2 \ No newline at end of file