Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tractusx-dev] [Trufflehog Update]: Mandatory secret scanning tool update
  • From: "Hauer Maximilian, FG-222" <Maximilian.Hauer@xxxxxx>
  • Date: Wed, 18 Sep 2024 18:19:13 +0000
  • Accept-language: de-DE, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bmw.de; dmarc=pass action=none header.from=bmw.de; dkim=pass header.d=bmw.de; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=fBA/l//kbM3deC6wI9vG8EYJ3lGNo0/J8E/RU1Mk4Ns=; b=M/+/UjDHXkHU1pP14Ey+sIJ9FfU7rSx2KUW/P3W1Gra1p0XssxGwMv582PNz0ugxRXPtwpJ1eCUPy1Wv6LDd+RrYTWe10toInFccr8WjRT5sDnJHGIanRvRebPBhbuABjyE+yuiZvXuOzy/6UQv+p7JsacvG6tIMkK9JWIMSLovreBbiCAw3knPoTqmoqw1Xtj16uupibcl8lkH1+nciIyGBNd/MtKv4BO7ZoDa36Yaj9VWEaUpE7He7W2MhI2E1F907zi5lse0Fz49s6dXZLbjJ7Mt9ZG7pdm8k8TNpXsNsLCKsXDWsNPFQ0pqMFU0MN8Y2872FzW0rVlZZRCaE9w==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=D7edZo6BDBuvCyIMzs6oi+iiZm9ttUK748TY0295ZfeK9QhDfjoV2wDl8Nl9Ckv7GKiBkclbiPGqwiRqAgvpS2fhxeT+tGN3i98yaPTFofOmGdr2NHJuPUjefTMPiYuJBnlK/70NggCDNYevI64jgJvEZ+ntiQheD2DBTBUMV8WW8GGEenI0/cr3dxFCXtTJTU0lo4pkp25UYWDJUkRMvoHo2FZ5+Usr/ulCVWjT/CSi+fgI0NGNGFThuw3cAVGKcnWN64f35hsphgkXJzVyHKuBQBeS/BsO3FFT0OA69L7GidvEKwY81KY+xhR+wZhhzP+klTh75vBeRWdLR4W2LA==
  • Delivered-to: tractusx-dev@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/tractusx-dev/>
  • List-help: <mailto:tractusx-dev-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/tractusx-dev>, <mailto:tractusx-dev-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/tractusx-dev>, <mailto:tractusx-dev-request@eclipse.org?subject=unsubscribe>
  • Thread-index: AdsJ5n68EPEwSR5zSaar9eoT442lyAAEMTBl
  • Thread-topic: [Trufflehog Update]: Mandatory secret scanning tool update
like Hauer Maximilian, FG-222 reacted to your message:
From: tractusx-dev <tractusx-dev-bounces@xxxxxxxxxxx> on behalf of Brunkow Moser, Mathias via tractusx-dev <tractusx-dev@xxxxxxxxxxx>
Sent: Wednesday, September 18, 2024 4:33:56 PM
To: tractusx developer discussions <tractusx-dev@xxxxxxxxxxx>
Cc: Brunkow Moser, Mathias <mathias.brunkowmoser@xxxxxxx>
Subject: [tractusx-dev] [Trufflehog Update]: Mandatory secret scanning tool update
 

 Sent from outside the BMW organization - be CAUTIOUS, particularly with links and attachments. 
Absender außerhalb der BMW Organisation - Bitte VORSICHT beim Öffnen von Links und Anhängen. 

Classification: Public


Hi Developers!

 

I have created a issue at our sig-security repository for tracking the Trufflehog Update on all the repositories from our organization.

 

Main Issue: https://github.com/eclipse-tractusx/sig-security/issues/86

 

The GitGuardian secret scanning tool licence is now going to be expired, therefore in order to maintain the Security of the Tractus-X Repositories there will be inforced the [TRG-8.03](https://eclipse-tractusx.github.io/docs/release/trg-8/trg-8-03) for all Tractus-X repos.

 

Before with the GitGuardian the functionality was included by default in all the PRs at all the repositories.

So now in order to keep the secret scanning functionality, it is required to add a workflow, so that before PRs are merged, there will be scanned for any API secrets, passwords, etc. Preventing you to publish into the open source repo `main` branch important secrets.

Remember: We are all humans and this secret scanning tools can save us from making huge mistakes 😉

 

You probably also saw that I created a issue in all this repositories to track the updates:

 

eclipse-tractusx/eclipse-tractusx.github.io

eclipse-tractusx/.eclipsefdn

eclipse-tractusx/api-hub

eclipse-tractusx/charts

eclipse-tractusx/sig-release

eclipse-tractusx/portal-shared-components

eclipse-tractusx/tutorial-resources

eclipse-tractusx/tractusx-edc-template

eclipse-tractusx/bpn-did-resolution-service

eclipse-tractusx/sldt-semantic-models

eclipse-tractusx/knowledge-agents-aas-bridge

eclipse-tractusx/managed-simple-data-exchanger-frontend

eclipse-tractusx/traceability-foss

eclipse-tractusx/managed-identity-wallet

eclipse-tractusx/item-relationship-service

eclipse-tractusx/sd-factory

eclipse-tractusx/data-exchange-test-service

eclipse-tractusx/knowledge-agents

eclipse-tractusx/knowledge-agents-edc

eclipse-tractusx/tractus-x-umbrella

eclipse-tractusx/vas-country-risk

eclipse-tractusx/sldt-ontology-model

eclipse-tractusx/sig-security

eclipse-tractusx/tractus-x-release

eclipse-tractusx/managed-simple-data-exchanger-backend

eclipse-tractusx/sig-infra

eclipse-tractusx/managed-simple-data-exchanger

eclipse-tractusx/.github

eclipse-tractusx/SSI-agent-lib

eclipse-tractusx/eclipse-tractusx.github.io.largefiles

eclipse-tractusx/testdata-provider

eclipse-tractusx/tractusx-profiles

eclipse-tractusx/app-dashboard

 

For finding which repositories do not have the file I have used two cool scripts I have developed and added to the sig-infra repository.

Sig-Infra PR: https://github.com/eclipse-tractusx/sig-infra/pull/545 (Your Feedback and Review are welcome!)

 

Now we can search for multiple files in all the repositories from our organization (which are not archived) and also by a list of repositories create a issue for the repos 😊

 

Remember: all the committers are responsible for the security of the organization, lets make a effort together to keep Eclipse Tractus-X a safe and secure dataspace 😉

 

Feel free to ask us committers and project leads in the next office hour if you have any problems on performing the update!

 

Kind Regards,

 

 

Mathias Brunkow Moser – Tractus-X Project Lead

 

 

 

 

Mathias Brunkow Moser | Lead Consultant

Software Engineering | Software Architecture | Cybersecurity
CGI Deutschland B.V. & Co. KG | Catena-X

70467 Stuttgart | Leitzstraße, 45 | Germany

mathias.brunkowmoser@xxxxxxx | LinkedIn | www.cgi.com/de

 

 

A logo for a company Description automatically generated     A close-up of a certificate Description automatically generated

 

Follow CGI at: Xing | LinkedIn | Twitter | Facebook | Instagram

 

CGI Deutschland B.V. KG, Leinfelder Straße 60, 70771 Leinfelden-Echterdingen |  Amtsgericht Stuttgart HRA 732235, Steuernummer: 97113/29861, Umsatzsteuer-Identifikationsnummer gemäß § 27 UStG: DE 114118368  |  Persönlich haftender Gesellschafter: CGI General Partner B.V., Rotterdam, Niederlande, KvK-Nr. 74017632   Geschäftsführer: Torsten Straß, Thomas Roth, Volker Katz, Francois Boulanger

 

Unsere Pflichtangaben gemäß § 35a GmbHG / §§ 161, 125a HGB finden Sie unter de.cgi.com/pflichtangaben

 

CONFIDENTIALITY NOTICE: Proprietary/Confidential Information belonging to CGI Group Inc. and its affiliates may be contained in this message. If you are not a recipient indicated or intended in this message (or responsible for delivery of this message to such person), or you think for any reason that this message may have been addressed to you in error, you may not use or copy or deliver this message to anyone else. In such case, you should destroy this message and are asked to notify the sender by reply e-mail.

 

Back to the top