Closed paulodiovani closed 2 years ago
Why do you require adding an npm script and the workflow running the npm run tartufo
, if tartufo
is a python tool?
I know it is python, this doesn't forbid including it for a workflow.
Of course, the change must include instructions on how to install tartufo
.
There are several options to install (system-wide with pip, docker, pipenv, requirements.txt...).
I generally prefer to use pipenv
, but either one will work.
But why to require that it should be run as an npm script?
If I make a GitHub workflow, which would install tartufo
and run it, would it be OK for this issue?
@iridacea oh, the npm script is just to easier run on local environment. If it only runs on GH Actions, one might not be able to run on local for testing.
The npm script can be really simple, does not need to install it. Can be just as:
"tartufo": "tartufo scan-local-repo .",
plus the instructions/links to install tartufo in the README.
Note: requirements.txt
or pipeenv
are neither required, a link on the README to install tartufo on the machine is enough.
Is this issue still open? Can I pick this up?
@devcer I was going to take this, but if you can make it better and quicker, I don't mind.
@paulodiovani I have submitted a PR for this - https://github.com/Codeminer42/marvin-cm42/pull/22/files
Didn't knew tartufo had an npm package until today! Thanks for teaching. xD
Tartufo is a tool that search repositories for included secrets.
npm run tartufo
Notify @paulodiovani to mark the status check as required.