From c650765f7ca11ca6bf2c785d7f92cf7ee5e3e067 Mon Sep 17 00:00:00 2001
From: "lbt-commit-signing[bot]"
 <142540056+lbt-commit-signing[bot]@users.noreply.github.com>
Date: Fri, 9 Feb 2024 17:32:15 +0000
Subject: [PATCH] chore: Replace trufflehog scan workflow with security checks
 workflow

---
 .github/workflows/security-checks.yml |  20 +++++
 .github/workflows/trufflehog-scan.yml | 101 --------------------------
 2 files changed, 20 insertions(+), 101 deletions(-)
 create mode 100644 .github/workflows/security-checks.yml
 delete mode 100644 .github/workflows/trufflehog-scan.yml

diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml
new file mode 100644
index 0000000..b169674
--- /dev/null
+++ b/.github/workflows/security-checks.yml
@@ -0,0 +1,20 @@
+name: Security Checks
+
+on: pull_request
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  Security-Checks:
+    name: Security Checks
+    uses: ncino/security-checks/.github/workflows/security-checks.yml@v1
+    with:
+      trufflehog_run: true
+      trufflehog_ignore_list: >-
+        spec/lib/ncino.zip,
+        src/LLC_BI/main/default/staticresources/llc_web_ui/LiveEditor/scripts/common/webimage.htm,
+        src/staticresources/llc_web_ui.resource,
+        staticresources/llc_web_ui.resource
+    secrets: inherit
diff --git a/.github/workflows/trufflehog-scan.yml b/.github/workflows/trufflehog-scan.yml
deleted file mode 100644
index e8939db..0000000
--- a/.github/workflows/trufflehog-scan.yml
+++ /dev/null
@@ -1,101 +0,0 @@
-name: Secrets Scanner
-
-on: pull_request
-
-permissions:
-  contents: read
-  pull-requests: write
-
-jobs:
-  TruffleHog:
-    runs-on: ubuntu-latest
-    if: ${{ github.actor != 'dependabot[bot]' }}
-    container:
-      image: trufflesecurity/trufflehog:3.63.2
-    env:
-      BASE_REF: ${{ github.base_ref }}
-      HEAD_REF: ${{ github.head_ref }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
-        with:
-          fetch-depth: 0
-
-      - name: Get first commit
-        id: getFirstCommit
-        shell: bash
-        run: |
-          REPO_NAME=$(echo "$GITHUB_REPOSITORY" | cut -d "/" -f 2)
-          git config --global --add safe.directory /__w/"$REPO_NAME"/"$REPO_NAME"
-          FIRST_COMMIT=$(git rev-parse origin/"$BASE_REF")
-          echo "FIRST_COMMIT=$FIRST_COMMIT" >> $GITHUB_ENV
-
-      - name: Trufflehog
-        id: trufflehog
-        run: |
-          TRUFFLEHOG_OUTPUT=""
-          capturefile=false
-          captureline=false
-          for finding in $(trufflehog git file://. --since-commit $FIRST_COMMIT --branch $HEAD_REF --only-verified); do
-              if [[ $capturefile == true ]] && [[ -z "$TRUFFLEHOG_OUTPUT" ]]; then
-              TRUFFLEHOG_OUTPUT="> - $finding"
-              elif [[ $capturefile == true ]] && [[ -n "$TRUFFLEHOG_OUTPUT" ]]; then
-              TRUFFLEHOG_OUTPUT="$TRUFFLEHOG_OUTPUT\n> - $finding"
-              fi
-              if [[ $captureline == true ]]; then
-              TRUFFLEHOG_OUTPUT="$TRUFFLEHOG_OUTPUT\#$finding"
-              fi
-              capturefile=false
-              captureline=false
-              if [[ "$finding" == "File:"* ]]; then
-              capturefile=true
-              elif [[ "$finding" == "Line:"* ]]; then
-              captureline=true
-              fi
-          done
-          echo "TRUFFLEHOG_OUTPUT=$TRUFFLEHOG_OUTPUT" >> $GITHUB_ENV
-
-      - name: Comment on PR
-        if: env.TRUFFLEHOG_OUTPUT != ''
-        id: comment
-        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
-        with:
-          github-token: ${{ secrets.BOBBY_TABLES_PAT }}
-          script: |
-            github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body:`> [!WARNING]
-                \*\*TruffleHog has detected verified secrets in the following files:\*\*
-              \>
-              ${{ env.TRUFFLEHOG_OUTPUT }}
-              \>
-              \> _This pull request will remain blocked to prevent secrets from being merged in. Please contact @ncino/product-security or join [#help-product-security](https://ncino.slack.com/archives/C02G4R09NUU) for assistance._`
-            })
-
-      - name: Send output to Slack if not empty
-        if: env.TRUFFLEHOG_OUTPUT != ''
-        id: slack
-        uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117
-        with:
-          payload: |
-            {
-              "text": "Trufflehog Alert: \n${{ github.event.pull_request.html_url || github.event.head_commit.url }}",
-              "blocks": [
-                {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": "Trufflehog Alert: ${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
-                  }
-                }
-              ]
-            }
-        env:
-          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
-          SLACK_WEBHOOK_URL: ${{ secrets.TRUFFLEHOG_SLACK_WEBHOOK }}
-
-      - name: Fail on Trufflehog findings
-        if: env.TRUFFLEHOG_OUTPUT != ''
-        run: exit 1