From 0d630b948354a9814400d9448a531e5f4d890a2d Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Fri, 17 Jan 2025 07:31:06 +0000 Subject: [PATCH 1/9] fix: upgrade lucide-react from 0.424.0 to 0.469.0 Snyk has created this PR to upgrade lucide-react from 0.424.0 to 0.469.0. See this package in npm: lucide-react See this project in Snyk: https://app.snyk.io/org/imambash6-nW84AQcTeBzS964s3SGwoH/project/07aa8130-1c7a-4eb9-8989-9687d2460146?utm_source=github&utm_medium=referral&page=upgrade-pr --- packages/frontend/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/frontend/package.json b/packages/frontend/package.json index 84d7065..7bf4736 100644 --- a/packages/frontend/package.json +++ b/packages/frontend/package.json @@ -39,7 +39,7 @@ "gsap": "^3.12.5", "lenis": "^1.1.16", "livepeer": "^3.4.0", - "lucide-react": "^0.424.0", + "lucide-react": "^0.469.0", "react": "^18.3.1", "react-animated-cursor": "^2.11.2", "react-calendar": "^5.1.0", From 55d544f6caf17bbfe5d6ca754385c535f638958c Mon Sep 17 00:00:00 2001 From: Imambash6 <32916274+Imambash6@users.noreply.github.com> Date: Wed, 12 Feb 2025 13:45:09 +0100 Subject: [PATCH 2/9] Create workflows.yml --- .github/workflows.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/workflows.yml diff --git a/.github/workflows.yml b/.github/workflows.yml new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/.github/workflows.yml @@ -0,0 +1 @@ + From f2ebc735868feaedeefb8fb1a0957966a424fd90 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Fri, 14 Feb 2025 06:40:55 +0000 Subject: [PATCH 3/9] fix: upgrade lucide-react from 0.469.0 to 0.474.0 Snyk has created this PR to upgrade lucide-react from 0.469.0 to 0.474.0. See this package in npm: lucide-react See this project in Snyk: https://app.snyk.io/org/imambash6-nW84AQcTeBzS964s3SGwoH/project/07aa8130-1c7a-4eb9-8989-9687d2460146?utm_source=github&utm_medium=referral&page=upgrade-pr --- packages/frontend/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/frontend/package.json b/packages/frontend/package.json index 7bf4736..97cacce 100644 --- a/packages/frontend/package.json +++ b/packages/frontend/package.json @@ -39,7 +39,7 @@ "gsap": "^3.12.5", "lenis": "^1.1.16", "livepeer": "^3.4.0", - "lucide-react": "^0.469.0", + "lucide-react": "^0.474.0", "react": "^18.3.1", "react-animated-cursor": "^2.11.2", "react-calendar": "^5.1.0", From efa14961adeeffb05e2949fe0a1e879d8cffce3b Mon Sep 17 00:00:00 2001 From: Imambash6 <32916274+Imambash6@users.noreply.github.com> Date: Tue, 18 Feb 2025 13:39:12 +0100 Subject: [PATCH 4/9] Create security-scan.yml --- .github/security-scan.yml | 40 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 .github/security-scan.yml diff --git a/.github/security-scan.yml b/.github/security-scan.yml new file mode 100644 index 0000000..e8fa59c --- /dev/null +++ b/.github/security-scan.yml @@ -0,0 +1,40 @@ +# this is security scan for secrets +name: TruffleHog + +on: + push: + branches: + - main + pull_request: + +permissions: + contents: read + id-token: write + issues: write + pull-requests: write + +jobs: + TruffleHog: + runs-on: ubuntu-latest + defaults: + run: + shell: bash + steps: + - name: Checkout code + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: TruffleHog OSS + id: trufflehog + uses: trufflesecurity/trufflehog@main + continue-on-error: true + with: + path: ./ + base: "${{ github.event.repository.default_branch }}" + head: HEAD + extra_args: --debug + + - name: Scan Results Status + if: steps.trufflehog.outcome == 'failure' + run: exit 1 From e67c72a030c256c0e1ed0b5d7a7d6671ac6a4974 Mon Sep 17 00:00:00 2001 From: Twenty4 <32916274+Imambash6@users.noreply.github.com> Date: Sun, 10 Aug 2025 22:48:52 +0100 Subject: [PATCH 5/9] Delete .github/workflows.yml --- .github/workflows.yml | 1 - 1 file changed, 1 deletion(-) delete mode 100644 .github/workflows.yml diff --git a/.github/workflows.yml b/.github/workflows.yml deleted file mode 100644 index 8b13789..0000000 --- a/.github/workflows.yml +++ /dev/null @@ -1 +0,0 @@ - From 2f502b49fe5480bce6c73879cef901190bd2984e Mon Sep 17 00:00:00 2001 From: Twenty4 <32916274+Imambash6@users.noreply.github.com> Date: Sun, 10 Aug 2025 22:49:25 +0100 Subject: [PATCH 6/9] Rename .github/security-scan.yml to .github/workflows/security-scan.yml --- .github/{ => workflows}/security-scan.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/{ => workflows}/security-scan.yml (100%) diff --git a/.github/security-scan.yml b/.github/workflows/security-scan.yml similarity index 100% rename from .github/security-scan.yml rename to .github/workflows/security-scan.yml From 9b49eaf86f47703cd0e8519cb6bf209a282d62a6 Mon Sep 17 00:00:00 2001 From: Twenty4 <32916274+Imambash6@users.noreply.github.com> Date: Sun, 10 Aug 2025 22:51:58 +0100 Subject: [PATCH 7/9] Rename security-scan.yml to trufflehog.yml.yml --- .github/workflows/{security-scan.yml => trufflehog.yml.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{security-scan.yml => trufflehog.yml.yml} (100%) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/trufflehog.yml.yml similarity index 100% rename from .github/workflows/security-scan.yml rename to .github/workflows/trufflehog.yml.yml From 1f78573d11d57f112f8e955e97c5dc0d12b78180 Mon Sep 17 00:00:00 2001 From: Twenty4 <32916274+Imambash6@users.noreply.github.com> Date: Sun, 10 Aug 2025 23:06:48 +0100 Subject: [PATCH 8/9] Update trufflehog.yml.yml --- .github/workflows/trufflehog.yml.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/trufflehog.yml.yml b/.github/workflows/trufflehog.yml.yml index e8fa59c..1e49d08 100644 --- a/.github/workflows/trufflehog.yml.yml +++ b/.github/workflows/trufflehog.yml.yml @@ -28,7 +28,6 @@ jobs: - name: TruffleHog OSS id: trufflehog uses: trufflesecurity/trufflehog@main - continue-on-error: true with: path: ./ base: "${{ github.event.repository.default_branch }}" From fbd910e7f3bf2433d8849d437ace4602572bebe1 Mon Sep 17 00:00:00 2001 From: Twenty4 <32916274+Imambash6@users.noreply.github.com> Date: Sun, 10 Aug 2025 23:12:41 +0100 Subject: [PATCH 9/9] Update trufflehog.yml.yml --- .github/workflows/trufflehog.yml.yml | 59 +++++++++++++++++++++++----- 1 file changed, 49 insertions(+), 10 deletions(-) diff --git a/.github/workflows/trufflehog.yml.yml b/.github/workflows/trufflehog.yml.yml index 1e49d08..08d83a9 100644 --- a/.github/workflows/trufflehog.yml.yml +++ b/.github/workflows/trufflehog.yml.yml @@ -1,4 +1,4 @@ -# this is security scan for secrets +# Security scan for secrets using TruffleHog name: TruffleHog on: @@ -14,26 +14,65 @@ permissions: pull-requests: write jobs: - TruffleHog: + trufflehog: runs-on: ubuntu-latest defaults: run: shell: bash steps: + # 1. Checkout the code - name: Checkout code uses: actions/checkout@v3 with: fetch-depth: 0 + # 2. Determine scan scope + - name: Set scan path + id: scan_path + run: | + if [ "${{ github.event_name }}" = "pull_request" ]; then + CHANGED_FILES=$(git diff --name-only origin/${{ github.event.repository.default_branch }} HEAD | tr '\n' ' ') + echo "PATHS=$CHANGED_FILES" >> $GITHUB_ENV + else + echo "PATHS=./" >> $GITHUB_ENV + fi + + # 3. Run TruffleHog scan - name: TruffleHog OSS id: trufflehog - uses: trufflesecurity/trufflehog@main + run: | + trufflesecurity/trufflehog@main \ + --path "${{ env.PATHS }}" \ + --base "${{ github.event.repository.default_branch }}" \ + --head HEAD \ + --json --debug > trufflehog.json + + # 4. Post results to PR (only runs for pull requests) + - name: Post results to PR + if: github.event_name == 'pull_request' + uses: actions/github-script@v7 with: - path: ./ - base: "${{ github.event.repository.default_branch }}" - head: HEAD - extra_args: --debug + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const fs = require('fs'); + const results = fs.readFileSync('trufflehog.json', 'utf8').trim(); + const body = results.length > 0 + ? `🔍 **TruffleHog scan results:**\n\`\`\`json\n${results}\n\`\`\`` + : '✅ No secrets found by TruffleHog.'; + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body + }); - - name: Scan Results Status - if: steps.trufflehog.outcome == 'failure' - run: exit 1 + # 5. Fail the build if secrets were found + - name: Fail if secrets found + run: | + if [ -s trufflehog.json ]; then + echo "❌ Secrets found!" + cat trufflehog.json + exit 1 + else + echo "✅ No secrets found." + fi