Skip to content

Update README.md #61

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jfrogdixit merged 1 commit into from
Aug 10, 2025
+9 −3
Merged

Update README.md #61

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions examples/trufflehog/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# **Trufflehog Secret Scan Evidence Example**

This repository provides a working example of a GitHub Actions workflow that automates secret scanning using **Trufflehog**. It then attaches the resulting secret detection report as signed, verifiable evidence to the package in **JFrog Artifactory**.
This repository provides a working example of a GitHub Actions workflow that automatically scans a repository for exposed secrets using Trufflehog. It then attaches the resulting scan report as signed, verifiable evidence to a Docker image in JFrog Artifactory.
Copy link
Copy Markdown
Collaborator

@jfrogdixit jfrogdixit Jul 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does truffle hog only support Docker.
wagoodman/dive


This workflow is an essential pattern for DevSecOps, creating a traceable, compliant, and secure software supply chain by detecting and documenting potential secrets in your codebase.
This workflow is an essential DevSecOps practice, helping to prevent accidental secret leakage by creating a traceable and auditable record of what was found in your codebase at a specific point in time.

### **Key Features**

Expand Down Expand Up @@ -105,18 +105,24 @@ Once the workflow completes successfully, you can navigate to your repository in
### **Key Commands Used**

* **Run Trufflehog Scan:**
This step runs the `trufflesecurity/trufflehog` container to scan the entire checked-out repository. The results are output in a `.jsonl` (JSON Lines) format. The `|| true` ensures the workflow continues even if secrets are found, allowing the findings to be reported as evidence.

```bash
docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest filesystem /pwd --json
```

* **Process Results:**
The raw `.jsonl` output from Trufflehog is processed in two steps:

1. A Python script (`jsonl_to_json_converted.py`) converts the JSON Lines file into a standard, well-formed JSON array named `trufflehog.json`, which is required for the evidence predicate.
2. If `ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE` is `true`, a second script (`process_trufflehog_results.py`) generates a human-readable Markdown summary.

```bash
python process_trufflehog_results.py trufflehog-results.json
```

* **Attach Evidence:**
This final step uses jf evd create to attach the processed trufflehog.json report to the Docker image. This creates a permanent, tamper-proof record of the secret scan for the associated build.

```bash
jf evd create \
Expand All @@ -133,4 +139,4 @@ jf evd create \

* [Trufflehog Documentation](https://github.com/trufflesecurity/trufflehog)
* [JFrog Evidence Management](https://jfrog.com/help/r/jfrog-artifactory-documentation/evidence-management)
* [JFrog CLI Documentation](https://jfrog.com/getcli/)
* [JFrog CLI Documentation](https://jfrog.com/getcli/)