eclipse-tractusx · RoKrish14 · Aug 28, 2024 · Jun 27, 2024 · Jun 27, 2024 · Jun 27, 2024
diff --git a/docs/release/trg-8/trg-8-03.md b/docs/release/trg-8/trg-8-03.md
@@ -1,26 +1,77 @@
 ---
-title: TRG 8.03 - GitGuardian
+title: TRG 8.03 - TruffleHog
 ---
 
 | Status | Created     | Post-History    |
 |--------|-------------|-----------------|
+| Update | 27-Jun-2024 | Switching to TruffleHog due to GitGuardian licence expiration|
 | Active | 26-Mar-2024 | Initial release |
 | Draft  | 04-Mar-2024 | Draft release   |
 
 ## Why
 
-GitGuardian excels at detecting and preventing leaks of sensitive data in your code repositories, such as API keys, passwords, and other secrets. This can help you avoid security breaches and comply with data privacy regulations.
+TruffleHog is an open source tool designed to identify sensitive information, such as API keys, passwords, and other credentials, that may have been inadvertently committed to your code repository. This tool is expected to be used in parallel to the native GitHub Secret Scanning tool.
 
 ## Description
 
-GitGuardian is integrated via its GitHub App, enabling automated secret scanning of our repositories. Each pull request undergoes a scan. If a potential secret is detected, the commit's author receives an immediate email notification.
+Detecting and removing these secrets is crucial for maintaining the security of your application and infrastructure. TruffleHog performs a thorough search by checking the entire repository history, not just the latest commits. This means it can find secrets that were committed in the past and might still pose a security risk.
 
-If a secret is suspected, the pull request will be locked. Immediate action is required regarding the potential secret due to the high risk associated with exposing secrets.
+Configure your GitHub Actions to include:
 
-:::caution
+- `workflow dispatch`: Manual workflow execution.
+- `schedule`: Schedule the workflow to run at least once a week with `0 0 * * 0`.
+- `push` and `pull_request`: Activate the workflow on both push and pull request events targeting the branch that contains the code for the currently supported version, which may not necessarily be the main branch. This is the branch from which new releases will be made.
 
-Address all findings.
+Note: `extra_args: --filter-entropy=4 --results=verified,unknown`
 
-:::
+Including `extra_args: --filter-entropy=4 --results=verified,unknown` in the GitHub Actions workflow ensures that TruffleHog focuses on detecting high-entropy strings, which are more likely to be sensitive information such as passwords or API keys. This setup also instructs TruffleHog to report both verified secrets and potential but unverified secrets, providing a comprehensive security scan that helps identify and address all possible vulnerabilities in the code.
 
-The email contains a _temporary **link**_, allowing the author to either **report** the detected secret or **mark it as a false positive**, streamlining the review process for software engineers.
+Including `run: exit 1` in a step of a GitHub Actions workflow, as demonstrated below, commands the workflow to halt execution. This ensures that should TruffleHog uncover any secrets during its scan, the workflow promptly terminates in failure.
+
+GitHub Actions allows you to define workflows to automatically run TruffleHog scans on your code. You'll see the output that triggered the failure directly in the logs.
+
+Here’s how you can set it up:
+
+```yml
+name: "TruffleHog"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * *" # Once a day
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+  id-token: write
+  issues: write
+
+jobs:
+  ScanSecrets:
+    name: Scan secrets
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0  # Ensure full clone for pull request workflows
+          ref: ${{ github.head_ref }}  # Fetch specific branch/commit for pull requests
+
+      - name: TruffleHog OSS
+        id: trufflehog
+        uses: trufflesecurity/trufflehog@main
+        continue-on-error: true
+        with:
+          path: ./  # Scan the entire repository
+          base: "${{ github.event.repository.default_branch }}"  # Set base branch for comparison (pull requests)
+          extra_args: --filter-entropy=4 --results=verified,unknown --debug
+
+      - name: Scan Results Status
+        if: steps.trufflehog.outcome == 'failure'
+        run: exit 1  # Set workflow run to failure if TruffleHog finds secrets 
+```