Add tartufo through Github Actions

[paulodiovani]

Tartufo is a tool that search repositories for included secrets.

• Add tartufo as dev dependency
• Add tartufo npm script
• DO NOT add git hooks to run tartufo automatically
• Add a github action to run tartufo. The workflow must run:
  • npm run tartufo

Notify @paulodiovani to mark the status check as required.

• More on Tartufo: https://github.com/godaddy/tartufo
• More on GH Actions: https://github.com/features/actions

[iridacea]

Why do you require adding an npm script and the workflow running the npm run tartufo, if tartufo is a python tool?

[paulodiovani]

I know it is python, this doesn't forbid including it for a workflow.

Of course, the change must include instructions on how to install tartufo. There are several options to install (system-wide with pip, docker, pipenv, requirements.txt...). I generally prefer to use pipenv, but either one will work.

[iridacea]

But why to require that it should be run as an npm script? If I make a GitHub workflow, which would install tartufo and run it, would it be OK for this issue?

[paulodiovani]

@iridacea oh, the npm script is just to easier run on local environment. If it only runs on GH Actions, one might not be able to run on local for testing.

The npm script can be really simple, does not need to install it. Can be just as:

  "tartufo": "tartufo scan-local-repo .",

plus the instructions/links to install tartufo in the README.

Note: requirements.txt or pipeenv are neither required, a link on the README to install tartufo on the machine is enough.

[devcer]

Is this issue still open? Can I pick this up?

[iridacea]

@devcer I was going to take this, but if you can make it better and quicker, I don't mind.

[devcer]

@paulodiovani I have submitted a PR for this - https://github.com/Codeminer42/marvin-cm42/pull/22/files

Didn't knew tartufo had an npm package until today! Thanks for teaching. xD