@abinash2512 - want to take this one on?

@abinash2512 - I've updated the scope of this ticket to include:

1. Running TruffleHog as a pull request check on our GitHub repository, via GitHub Actions
2. Assess code pushed through Git Proxy for secrets using TruffleHog as a new push processor

@maoo - after our community discussion today, we recognised that TruffleHog uses the AGPL-3.0 license. Do you think this would be a problem running it as a status check when pull requests are opened?

@coopernetes mentioned that running it as an embeddable plugin or assessment layer in Git Proxy itself may be problematic but wanted to see what you think about running it as a GitHub Action?

@maoo - after our community discussion today, we recognised that TruffleHog uses the AGPL-3.0 license. Do you think this would be a problem running it as a status check when pull requests are opened?

Yes, I believe so; there are actually 2 things that concern me:

• The "GPL" part of it, which would force all our derived code (eg, a GitProxy plugin that uses TruffleHog) to be released as GPL; assuming we would build the code based on the 2.x architecture, we could host the plugin as a separate FINOS project, and release it as GPL, though I'm not sure if you would be able to run it on your end
• The "A" part, which could affect the license of GitProxy

I can seek legal advice, though it could take some time.

@coopernetes mentioned that running it as an embeddable plugin or assessment layer in Git Proxy itself may be problematic but wanted to see what you think about running it as a GitHub Action?

I think that leaked credentials is a crucial use case for GitProxy, and we should provide it as a plugin that adheres to the GitProxy 2.x architecture.

I also think that we should consider evaluating TruffleHog alternatives; from a quick seach I found https://github.com/GitGuardian , but I'm sure there are way more.

@maoo - I've spoken with @tt-gideonaryeetey and @divinetettey today about running a design jam for us to come up with new plugin and push protection ideas. I will close this ticket in the meantime as it looks like we would have issues with the license here. I will follow up with an e-mail to our contributors to schedule a 1-2 hour session.

I will close this ticket in the meantime as it looks like we would have issues with the license here.

I asked the TruffleHog team for clarification or a potential resolution regarding the licensing. Unfortunately, I didn't receive a response.

I will follow up with an e-mail to our contributors to schedule a 1-2 hour session.

Can I be included in this session?

@rgmz - absolutely! 💯