diff --git a/.github/workflows/default-ci.yaml b/.github/workflows/default-ci.yaml index 6a63d14..d4a6b83 100644 --- a/.github/workflows/default-ci.yaml +++ b/.github/workflows/default-ci.yaml @@ -21,16 +21,6 @@ on: branches: ["main"] jobs: - secret-scan: - name: "Secret Scanner (TruffleHog)" - runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'stackit-docker' }} - steps: - - name: Checkout code - uses: actions/checkout@v7 - - - name: TruffleHog Scan - uses: edplato/trufflehog-actions-scan@master - todo-check: name: "Check for Open TODOs" runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'stackit-ubuntu-22' }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c98fd9a..a8a0a3c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -58,6 +58,11 @@ repos: - id: prettier types_or: [javascript, yaml, json, markdown] + - repo: https://github.com/gitleaks/gitleaks + rev: v8.24.2 + hooks: + - id: gitleaks + - repo: local hooks: # Requires `addlicense` to be installed locally (go install github.com/google/addlicense@latest) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 0bd64ec..6282ab3 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -59,7 +59,7 @@ To maintain a clean and secure codebase, we enforce a strict CI pipeline on all ``` - **Terraform file naming:** All `.tf` files in examples **must** be prefixed with exactly 3 digits to enforce consistent ordering (e.g., `010-provider.tf`, `020-variables.tf`, `030-resources.tf`, `100-outputs.tf`). Files inside `modules/` directories are exempt from this rule. This check is enforced automatically by pre-commit. -- **Scan for Secrets:** Never commit credentials. We use `trufflehog` in the CI pipeline. Ensure you have no hardcoded tokens or passwords in your code. +- **Scan for Secrets:** Never commit credentials. We use `gitleaks` in the CI pipeline. Ensure you have no hardcoded tokens or passwords in your code. ### Repository structure diff --git a/GOVERNANCE.md b/GOVERNANCE.md index 8b1c7fc..aa46534 100644 --- a/GOVERNANCE.md +++ b/GOVERNANCE.md @@ -30,7 +30,7 @@ To ensure high standards and security, we follow a strict contribution process: - **Automated Validation:** Every Pull Request must pass the CI pipeline, which includes: - Linting and formatting checks. - License header verification (Apache 2.0). - - Secret scanning (Trufflehog). + - Secret scanning (GitLeaks). - **Best Effort Policy:** While we strive for quality, the content is provided "as-is." Use in production environments requires independent validation by the user. ## 4. Mirroring Process diff --git a/examples/terraform-pg-backend-state-locking/00-bootstrap/040-output.tf b/examples/terraform-pg-backend-state-locking/00-bootstrap/040-output.tf index 9e0fa24..f345841 100644 --- a/examples/terraform-pg-backend-state-locking/00-bootstrap/040-output.tf +++ b/examples/terraform-pg-backend-state-locking/00-bootstrap/040-output.tf @@ -22,6 +22,6 @@ locals { output "pg_connection_uri" { description = "PostgreSQL Flex User Connection String" - value = "postgres://${local.pg_username}:${local.pg_password}@${local.pg_host}:${local.pg_port}/${local.pg_database}?sslmode=require" # trufflehog:ignore + value = "postgres://${local.pg_username}:${local.pg_password}@${local.pg_host}:${local.pg_port}/${local.pg_database}?sslmode=require" sensitive = true } diff --git a/examples/terraform-pg-backend-state-locking/01-example-project/README.md b/examples/terraform-pg-backend-state-locking/01-example-project/README.md index b9a7e75..f1f211d 100644 --- a/examples/terraform-pg-backend-state-locking/01-example-project/README.md +++ b/examples/terraform-pg-backend-state-locking/01-example-project/README.md @@ -7,7 +7,7 @@ This module contains the core infrastructure configuration. It uses the `pg` bac 1. Create a `backend.conf` file in this directory and define the connection string using the credentials generated by the bootstrap module: ```ini - conn_str = "postgres://tf_state_user:@:5432/terraform_state?sslmode=require" # trufflehog:ignore + conn_str = "postgres://tf_state_user:@:5432/terraform_state?sslmode=require" ``` 2. Initialize Terraform and bind it to the remote PostgreSQL backend