From 0e9c5baca5f530523432c1bec80e08bff6d51c99 Mon Sep 17 00:00:00 2001
From: mkolasinski-splunk
 <105011638+mkolasinski-splunk@users.noreply.github.com>
Date: Mon, 10 Jun 2024 16:34:32 +0200
Subject: [PATCH] fix: trufflehog --only-verified (#286)

Recently multiple false positives reported for trufflehog v3:
https://splunk.slack.com/archives/CRTNPEZ4M/p1717405810934429

Let's add --only-verified flag to callout to avoid multiple fp for now.
Final solution need to be established/reviewed with prodsec.
More info on secrets verification in trufflehog:
https://trufflesecurity.com/blog/how-trufflehog-verifies-secrets

Tests:
https://github.com/splunk/splunk-add-on-for-microsoft-office-365/actions/runs/9399856169
---
 .github/workflows/reusable-build-test-release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml
index 923b25cbc..866af9050 100644
--- a/.github/workflows/reusable-build-test-release.yml
+++ b/.github/workflows/reusable-build-test-release.yml
@@ -267,7 +267,7 @@ jobs:
       - name: Secret Scanning Trufflehog
         uses: trufflesecurity/trufflehog@v3.77.0
         with:
-          extra_args: -x .github/workflows/exclude-patterns.txt --json
+          extra_args: -x .github/workflows/exclude-patterns.txt --json --only-verified
           version: 3.77.0
           
   semgrep: