Merge pull request #539 from Privado-Inc/dev

Trufflehog changes

.github/workflows/trufflehog-scan.yaml

@@ -0,0 +1,47 @@
+name: TruffleHog Scan
+
+on:
+  push:
+    branches:
+      - trufflehog-new
+      - main
+      - dev
+  pull_request:
+    branches:
+      - main
+      - dev
+
+jobs:
+  trufflehog-scan:
+    runs-on: ubuntu-22.04
+    services:
+      docker:
+        image: docker:19.03.12
+        options: --privileged
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
+
+      - name: Set up Docker
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y docker-ce docker-ce-cli containerd.io
+
+      - name: TruffleHog scan
+        run: |
+          echo "Starting TruffleHog scan..."
+          docker run -v "$PWD:/pwd" -v $GITHUB_WORKSPACE:/privado ghcr.io/trufflesecurity/trufflehog:latest filesystem --directory /privado --exclude_paths /privado/trufflehog/exclude-patterns.txt > trufflehog_output.text
+          python3 $GITHUB_WORKSPACE/trufflehog/trufflehog-exception.py
+          echo "TruffleHog scan completed."
+          cat trufflehog_filtered_output.text
+          if grep -qE 'Found (unverified|verified) result' trufflehog_filtered_output.text; then
+            echo "TruffleHog found sensitive information. Failing the pipeline."
+            exit 1
+          else
+            echo "No sensitive information found."
+          fi

.gitignore

@@ -248,4 +248,6 @@ privado
 notes.md
 
 #Directory created by IDE
-workspace
+workspace
+
+trufflehog_filtered_output.text

config/exclusions/javascript.yaml

@@ -19,3 +19,8 @@ exclusions:
     name: Exclude file which cannot be read
     patterns:
       - "<empty>|<unknownFullName>"
+
+  - id: Exclusions.JQuery
+    name: Exclude JQuery Folder
+    patterns:
+      - ".*(jquery).*([.]js).*"

rules/collections/android/any.yaml

@@ -61,3 +61,87 @@ collections:
       - ".*(?i)password.*"
     tags:
       sourceId: Data.Sensitive.AccountData.AccountPassword
+
+  - id: Collections.Android.Form.DateofBirth
+    name: Android Form DateofBirth
+    patterns:
+      - ".*(?i)(?i)(dob|(.*(date[^\\s/(;)#|,=!>]{0,5}of[^\\s/(;)#|,=!>]{0,5}birth|birth[^\\s/(;)#|,=!>]{0,5}(?:day|date|month|year)|birth[-_]{0,2}dt))).*"
+    tags:
+      sourceId: Data.Sensitive.PersonalIdentification.DateofBirth
+
+  - id: Collections.Android.Form.Age
+    name: Android Form Age
+    patterns:
+      - ".*(?i)(user|person|customer|under|years|yrs|human)?(_)?(of|in)?(_)?(age).*"
+    tags:
+      sourceId: Data.Sensitive.PersonalIdentification.Age
+
+  - id: Collections.Android.Form.Gender
+    name: Android Form Gender
+    patterns:
+      - "(?i)((.*gender)|is[_-]{0,1}male|is[_-]{0,1}female|sex)"
+    tags:
+      sourceId: Data.Sensitive.PersonalIdentification.Gender
+
+  - id: Collections.Android.Form.Photograph
+    name: Android Form Photograph
+    patterns:
+      - "(?i).*(?:profile|employee|user)[^\\s/(;)#|,=!>]{0,5}(?:picture|image|pic|photo).*"
+    tags:
+      sourceId: Data.Sensitive.PersonalIdentification.Photograph
+
+  - id: Collections.Android.Form.Passport
+    name: Android Form Passport
+    patterns:
+      - ".*(?i)(.*passport[^\\s/(;)#|,=!>]{0,10}(?:no|number|id|expiry|validity|country)).*"
+    tags:
+      sourceId: Data.Sensitive.NationalIdentificationNumbers.Passport
+
+  - id: Collections.Android.Form.DrivingLicense
+    name: Android Form DrivingLicense
+    patterns:
+      - ".*(?i)((?:driving|driver)[^\\s/(;)#|,=!>]{0,5}(?:license|lisense|licence)[^\\s/(;)#|,=!>]{0,5}(?:no|number|id)|(?:driving|driver)[^\\s/(;)#|,=!>]{0,5}(?:license|lisense|licence)).*"
+    tags:
+      sourceId: Data.Sensitive.NationalIdentificationNumbers.DrivingLicense
+
+  - id: Collections.Android.Form.SocialSecurityNumber
+    name: Android Form SocialSecurityNumber
+    patterns:
+      - ".*(?i)(social[^\\s/(;)#|,=!>]{0,5}security[^\\s/(;)#|,=!>]{0,5}(?:number|no|id)|.*_ssn|ssn).*"
+    tags:
+      sourceId: Data.Sensitive.NationalIdentificationNumbers.SocialSecurityNumber
+
+  - id: Collections.Android.Form.DisabilityorSpecificCondition
+    name: Android Form DisabilityorSpecificCondition
+    patterns:
+      - "(?i).*(locomotor[^\\s/(;)#|,=!>]*disability|mental[^\\s/(;)#|,=!>]*illness|cerebral[^\\s/(;)#|,=!>]*palsy|hearing[^\\s/(;)#|,=!>]*impairment|muscular[^\\s/(;)#|,=!>]*dystrophy|multiple[^\\s/(;)#|,=!>]*sclerosis|hiv[^\\s/(;)#|,=!>]*aids|physical[^\\s/(;)#|,=!>]*disability|mental[^\\s/(;)#|,=!>]*disability|alzheimer|thalassemia|hemophilia|autism|cancer|dwarfism|blindness|handicapped|wheelchair|diabetic|dyslexia|epilepsy|schizophrenia|depression|physical[^\\s/(;)#|,=!>]disorder).*"
+    tags:
+      sourceId: Data.Sensitive.HealthData.DisabilityorSpecificCondition
+
+  - id: Collections.Android.Form.IllnessorMedicalCondition
+    name: Android Form IllnessorMedicalCondition
+    patterns:
+      - "(?i).*(health[^\\s/(;)#|,=!>]{0,10}record|medical[^\\s/(;)#|,=!>]{0,10}condition|(?:user|person|customer|employee)[^\\s/(;)#|,=!>]{0,10}health|illness[^\\s/(;)#|,=!>]{0,10}(?:record|name|data|type|date))"
+    tags:
+      sourceId: Data.Sensitive.HealthData.IllnessorMedicalCondition
+
+  - id: Collections.Android.Form.MaternityLeaveDetails
+    name: Android Form MaternityLeaveDetails
+    patterns:
+      - "(?i).*(maternity[^\\s/(;)#|,=!>]{0,10}leave).*"
+    tags:
+      sourceId: Data.Sensitive.HealthData.MaternityLeaveDetails
+
+  - id: Collections.Android.Form.PaternityLeaveDetails
+    name: Android Form PaternityLeaveDetails
+    patterns:
+      - "(?i).*(paternity[^\\s/(;)#|,=!>]{0,10}leave).*"
+    tags:
+      sourceId: Data.Sensitive.HealthData.PaternityLeaveDetails
+
+  - id: Collections.Android.Form.MedicalCertificates
+    name: Android Form MedicalCertificates
+    patterns:
+      - "(?i).*(blood[^\\s/(;)#|,=!>]{0,10}report|medical[^\\s/(;)#|,=!>]{0,10}(?:report|test)|medical[^\\s/(;)#|,=!>]{0,10}certificate|blood[^\\s/(;)#|,=!>]{0,10}group).*"
+    tags:
+      sourceId: Data.Sensitive.HealthData.MedicalCertificates

trufflehog/exclude-patterns.txt

@@ -0,0 +1,6 @@
+^/privado/trufflehog_output.text
+^/privadot/rufflehog/exclude-patterns.txt
+^/privado/.git
+^/privado/trufflehog/truffleHogAllowRules.json
+^/privado/trufflehog_filtered_output.text
+^/privado/rules/

trufflehog/truffleHogAllowRules.json

@@ -0,0 +1,2 @@
+[
+]

trufflehog/trufflehog-exception.py

@@ -0,0 +1,41 @@
+import json
+
+# Load patterns from the JSON file
+with open("./trufflehog/truffleHogAllowRules.json", "r") as f:
+    patterns_list = json.load(f)
+
+# Compile the patterns into regex objects
+patterns = [re.compile(pattern) for pattern in patterns_list]
+
+# Function to determine if a block should be excluded
+def should_exclude(block):
+    for pattern in patterns:
+        if any(pattern.search(line) for line in block):
+            return True
+    return False
+
+# Read the input file
+with open("trufflehog_output.text", "r") as f:
+    lines = f.readlines()
+
+# Process the file and remove matching blocks
+output_lines = []
+current_block = []
+
+for line in lines:
+    if line.startswith("Found unverified result"):
+        if current_block and not should_exclude(current_block):
+            output_lines.extend(current_block)
+        current_block = [line]
+    else:
+        current_block.append(line)
+
+# Append the last block if it doesn't match the patterns
+if current_block and not should_exclude(current_block):
+    output_lines.extend(current_block)
+
+# Write the filtered output to a new file
+with open("trufflehog_filtered_output.text", "w") as f:
+    f.writelines(output_lines)
+
+print("Filtered output saved to trufflehog_filtered_output.text")