feat: allow trufflehog false positive (#27)

* feat: allow trufflehog false positive * Update reusable-build-test-release.yml Co-authored-by: kkania-splunk <[email protected]>
splunk · Feb 22, 2022 · 891c8de · 891c8de
1 parent dbafad1
commit 891c8de
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml
@@ -152,14 +152,22 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
+        if: github.event_name != 'pull_request'
+        uses: actions/checkout@v2
+        with:
+          submodules: false
+          fetch-depth: "0"
+      - name: Checkout for PR
+        if: github.event_name == 'pull_request'
         uses: actions/checkout@v2
         with:
           submodules: false
           fetch-depth: "0"
+          ref: ${{ github.head_ref }}
       - name: Trufflehog Actions Scan
-        uses: edplato/trufflehog-actions-scan@v0.9j-beta
+        uses: edplato/trufflehog-actions-scan@v0.9l-beta
         with:
-          scanArguments: "--max_dept 50 -x .github/workflows/exclude-patterns.txt"
+          scanArguments: "--max_dept 50 -x .github/workflows/exclude-patterns.txt --allow .github/workflows/trufflehog-false-positive.json"
 
   semgrep:
     runs-on: ubuntu-latest