-
Notifications
You must be signed in to change notification settings - Fork 0
/
.talismanrc
43 lines (41 loc) · 2.32 KB
/
.talismanrc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
scopeconfig:
- scope: node # ignore e.g. package-lock.json
fileignoreconfig:
- filename: lefthook.yml
checksum: 8168972ed7d27ebebc6e2c33243fad92abe4f859f3bd2edb0c3b171940cac0ec
- filename: prod.Dockerfile
checksum: e5d917f821d4d467ad4bcc77e165fb986971daeac4355adc0b60a758c69bf396
- filename: nginx.conf
checksum: 2f9c9124d8dfb11c9d7b4ce360b266d6fc26a47fbc99782bb82cf1b57ef292c4
- filename: frontend/env.d.ts
checksum: fa217d4a34afcd967e6c35b10e139cd5c52711e41c190f477576441081b5cf99
- filename: LICENSE
checksum: 00de5fa1aad2fcb968beb5d1bbf09931fc9d3f160f11b945b24f3203ea025917
allowed_patterns:
# allow these specific patterns that include hex encoded text
- "uses: aquasecurity/trivy-action@cf990b19d84bbbe1eb8833659989a7c1029132e3"
- "uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf"
- "uses: digitalservicebund/setup-sonarscanner@3ade23691f865c02dce6b46452947a0e7944196e"
- "uses: digitalservicebund/talisman-secrets-scan-action@9a4cb85589e29a62b4546eb566119753a5680aeb"
- "uses: sonarsource/sonarqube-quality-gate-action@424137db1fae80e9eb279829995166f2f44bc8df"
- "uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0"
- "uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0"
- "uses: sigstore/cosign-installer@e11c0892438d2c0a48e49dee376e4883f10f2e59"
- "uses: chainguard-dev/actions/setup-gitsign@94389dc7faf4ef9040df90498419535e1bdcb60e"
- "uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412"
- "uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a"
- "dsn: 'https://[email protected]/4508482613084160'"
# allow these specific patterns with the term "secret"
- secrets-scan-with-talisman
- "secrets: inherit"
- "SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}"
- "# scan for secrets that were published by mistake"
- "password: \\$\\{\\{ secrets.GITHUB_TOKEN \\}\\}"
- "argocd_pipeline_password: \\$\\{\\{ secrets.ARGOCD_PIPELINE_PASSWORD \\}\\}"
# allow these specific patterns with the term "key"
- "key: modules-"
- "key:.+runner.os"
- "key[s]?: docker-frontend-images-cache"
- "key: npm-cache"
- "sonar.projectKey=digitalservicebund_ris-adm-vwv"
- "deploy_key: \\$\\{\\{ secrets.DEPLOY_KEY \\}\\}"