You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have been trying for a week now to get this to work as a proof-of-concept, but it does not seem to be worth my time right now.
I want to scan repos on a self-hosted gitea, with a self-signed certificate.
Trufflehog would ideally run in a docker contain inside the gocd pipeline, and only proceed to clone and build the project if no credentials were found in the source repo. To do this, I have created a new Dockerfile in which I add the custom certificate, because I saw no other way to do it, is this right?
Now I can connect to the server and scan public repos on there, but to scan private ones, I need to authenticate. I have seen recommended to use ssh (not an option for a service account) or to use the scheme https://user:password@gitea.custom.org
which seems to be a security risk (exposing username and password/PAT) in itself.
The flag --token=... is only available to scan e.g. github, not a 'plain' git.
How can I securely (i.e. via a docker secret) pass the authentication details to trufflehog?
Is the best option to clone and then scan the local repo with file:// ?
Please create some more documentation for this use-case.
The text was updated successfully, but these errors were encountered:
I have been trying for a week now to get this to work as a proof-of-concept, but it does not seem to be worth my time right now.
I want to scan repos on a self-hosted gitea, with a self-signed certificate.
Trufflehog would ideally run in a docker contain inside the gocd pipeline, and only proceed to clone and build the project if no credentials were found in the source repo. To do this, I have created a new Dockerfile in which I add the custom certificate, because I saw no other way to do it, is this right?
Now I can connect to the server and scan public repos on there, but to scan private ones, I need to authenticate. I have seen recommended to use ssh (not an option for a service account) or to use the scheme
https://user:password@gitea.custom.org
which seems to be a security risk (exposing username and password/PAT) in itself.
The flag --token=... is only available to scan e.g. github, not a 'plain' git.
How can I securely (i.e. via a docker secret) pass the authentication details to trufflehog?
Is the best option to clone and then scan the local repo with file:// ?
Please create some more documentation for this use-case.
The text was updated successfully, but these errors were encountered: