From 4a1c597fb0813dd68db6d21db75063a9f4d3e1c0 Mon Sep 17 00:00:00 2001
From: Ryan <rashley@iqt.org>
Date: Thu, 1 Feb 2024 17:26:40 -0500
Subject: [PATCH 1/2] added secrets scanning to pre-commit

---
 .github/workflows/secrets-scan.yml | 2 +-
 .pre-commit-config.yaml            | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/secrets-scan.yml b/.github/workflows/secrets-scan.yml
index b1367cc..ba60f9f 100644
--- a/.github/workflows/secrets-scan.yml
+++ b/.github/workflows/secrets-scan.yml
@@ -10,7 +10,7 @@ jobs:
       uses: actions/checkout@v4
     - name: Scan for secrets
       id: scan
-      uses: IQTLabs/workflows/secret-scan
+      uses: IQTLabs/workflows/secret-scan@main
 
     - name: Fail if found
       if: steps.scan.outputs.verified-secrets != 0
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 2214211..7fb02ef 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -25,3 +25,10 @@ repos:
     rev: v1.1.327
     hooks:
     - id: pyright
+  - repo: local
+    hooks:
+    - id: trufflehog
+      name: trufflehog
+      entry: bash -c 'docker run --rm -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --since-commit HEAD --only-verified --fail'
+      language: system
+      stages: ["commit", "push"]

From 3eecee858a31dd0fd2031a86ec58ef1a5dee69e9 Mon Sep 17 00:00:00 2001
From: Ryan <rashley@iqt.org>
Date: Thu, 1 Feb 2024 17:32:08 -0500
Subject: [PATCH 2/2] let underlying action failure passthrough

---
 .github/workflows/secrets-scan.yml | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/.github/workflows/secrets-scan.yml b/.github/workflows/secrets-scan.yml
index ba60f9f..b6a0898 100644
--- a/.github/workflows/secrets-scan.yml
+++ b/.github/workflows/secrets-scan.yml
@@ -11,12 +11,3 @@ jobs:
     - name: Scan for secrets
       id: scan
       uses: IQTLabs/workflows/secret-scan@main
-
-    - name: Fail if found
-      if: steps.scan.outputs.verified-secrets != 0
-      uses: actions/github-script@v6
-      with:
-        script: |
-            core.info(`Number of verified secrets: ${{steps.scan.outputs.verified-secrets}}`)
-            core.info(`Number of unverified secrets: ${{steps.scan.outputs.unverified-secrets}}`)
-            core.setFailed('Secrets found. Please check the uploaded report')