Description
I have been trying for a week now to get this to work as a proof-of-concept, but it does not seem to be worth my time right now.
I want to scan repos on a self-hosted gitea, with a self-signed certificate.
Trufflehog would ideally run in a docker contain inside the gocd pipeline, and only proceed to clone and build the project if no credentials were found in the source repo. To do this, I have created a new Dockerfile in which I add the custom certificate, because I saw no other way to do it, is this right?
Now I can connect to the server and scan public repos on there, but to scan private ones, I need to authenticate. I have seen recommended to use ssh (not an option for a service account) or to use the scheme
https://user:[email protected]
which seems to be a security risk (exposing username and password/PAT) in itself.
The flag --token=... is only available to scan e.g. github, not a 'plain' git.
How can I securely (i.e. via a docker secret) pass the authentication details to trufflehog?
Is the best option to clone and then scan the local repo with file:// ?
Please create some more documentation for this use-case.
Activity