Sanitize all linter outputs by default

.automation/build.py

@@ -2887,8 +2887,8 @@ def collect_linter_previews():
                 logging.error(str(e))
             if title is not None:
                 item = {
-                    "title": megalinter.utils.decode_utf8(title),
-                    "description": megalinter.utils.decode_utf8(description),
+                    "title": megalinter.utils.clean_string(title),
+                    "description": megalinter.utils.clean_string(description),
                     "image": image,
                 }
                 data[linter.linter_name] = item
@@ -3378,7 +3378,7 @@ def reformat_markdown_tables():
         shell=True,
         executable=None if sys.platform == "win32" else which("bash"),
     )
-    stdout = utils.decode_utf8(process.stdout)
+    stdout = utils.clean_string(process.stdout)
     logging.info(f"Format table results: ({process.returncode})\n" + stdout)
 
 

.cspell.json

@@ -20,6 +20,7 @@
         ".lycheeignore"
     ],
     "ignoreWords": [
+        "AKIAIOSFODNN",
         "ARGTOP",
         "AROA47DSWDEZA3",
         "ASPM",
@@ -1500,6 +1501,7 @@
         "trivyignore",
         "trollface",
         "trufflehog",
+        "trufflehogignore",
         "trufflesecurity",
         "tsql",
         "tsqllint",

.mega-linter.yml

@@ -26,7 +26,6 @@ DISABLE_ERRORS_LINTERS:
   - REPOSITORY_DEVSKIM
   - REPOSITORY_GRYPE
   - REPOSITORY_SEMGREP
-  - REPOSITORY_TRUFFLEHOG
   - SPELL_LYCHEE
 PRINT_ALL_FILES: false
 FILTER_REGEX_EXCLUDE: '(\.automation/test|\.automation/generated|\.venv|\.github/workflows|docs/javascripts|docs/overrides|docs/json-schemas|flavors|clj-kondo|TEMPLATES)'
@@ -46,6 +45,8 @@ REPOSITORY_TRIVY_ARGUMENTS:
   - ".automation/test"
   - "--skip-dirs"
   - ".venv"
+REPOSITORY_TRUFFLEHOG_ARGUMENTS:
+  - --exclude-paths=.trufflehogignore
 SHOW_ELAPSED_TIME: true
 FLAVOR_SUGGESTIONS: false
 EMAIL_REPORTER: false

.secretlintignore

@@ -1,2 +1,3 @@
 .automation/test
-megalinter-reports
+**/tests/test_megalinter/utils_test.py
+**/updated_dev_sources/**

.trufflehogignore

@@ -0,0 +1,2 @@
+.git/
+.automation/test/gitleaks/bad

CHANGELOG.md

@@ -19,8 +19,10 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l
 
 - Linters enhancements
   - [editorconfig_checker](https://megalinter.io/latest/descriptors/editorconfig_editorconfig_checker/) Changes default EditorConfig-Checker config filename by @llaville in <https://github.com/oxsecurity/megalinter/issues/5061>
+  - [TruffleHog](https://megalinter.io/latest/descriptors/repository_trufflehog/): Ignore .git by default if not already done using --exclude-paths option
 
 - Fixes
+  - Sanitize all linter outputs by default
 
 - Reporters
 

README.md

@@ -1132,11 +1132,11 @@ You may see **github permission errors**, or workflows not run on the new commit
 To solve these issues, you can apply one of the following solutions.
 
 - Method 1: The most secured
-  - [Create Fine Grained Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-fine-grained-personal-access-token), scoped only on your repository and then copy the PAT value
+  - [Create Fine Grained Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-fine-grained-personal-access-token), scoped only on your repository and with **Contents: Read/Write** and then copy the PAT value
   - [Define environment secret variable](https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-an-environment) named **PAT** on your repository, and paste the PAT value
   - Update your Github Actions Workflow to add the environment name
 
-- Method 2: Easier, but any contributor with write access can see your Personal Access Token
+- Method 2: Easier, but any contributor with write access can see your Personal Access Token, so use it only on private repositories.
   - [Create Classic Personal Access Token](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token#creating-a-token), then copy the PAT value
   - [Define secret variable](https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository) named **PAT** on your repository, and paste the PAT value
 

TEMPLATES/.trufflehogignore

@@ -0,0 +1 @@
+.git/

megalinter/Linter.py

@@ -1059,7 +1059,7 @@ def execute_lint_command(self, command):
                 ),
             )
             return_code = process.returncode
-            return_stdout = utils.decode_utf8(process.stdout)
+            return_stdout = utils.clean_string(process.stdout, not self.is_formatter)
         else:
             # Use full executable path if we are on Windows
             if sys.platform == "win32":
@@ -1081,7 +1081,9 @@ def execute_lint_command(self, command):
                     cwd=cwd,
                 )
                 return_code = process.returncode
-                return_stdout = utils.decode_utf8(process.stdout)
+                return_stdout = utils.clean_string(
+                    process.stdout, not self.is_formatter
+                )
             except FileNotFoundError as err:
                 return_code = 999
                 return_stdout = (
@@ -1198,7 +1200,7 @@ def get_linter_version_output(self):
                 env=subprocess_env,
             )
             return_code = process.returncode
-            output = utils.decode_utf8(process.stdout)
+            output = utils.clean_string(process.stdout)
             logging.debug("Linter version result: " + str(return_code) + " " + output)
         except FileNotFoundError:
             logging.warning("Unable to call command [" + " ".join(command) + "]")
@@ -1246,7 +1248,7 @@ def get_linter_help(self):
                     env=subprocess_env,
                 )
                 return_code = process.returncode
-                output += utils.decode_utf8(process.stdout)
+                output += utils.clean_string(process.stdout)
                 logging.debug("Linter help result: " + str(return_code) + " " + output)
             except FileNotFoundError:
                 logging.warning("Unable to call command [" + " ".join(command) + "]")

megalinter/MegaLinter.py

@@ -92,15 +92,7 @@ def __init__(self, params=None):
             manage_upgrade_message()
             display_header(self)
         # MegaLinter default rules location
-        self.default_rules_location = (
-            "/action/lib/.automation"
-            if os.path.isdir("/action/lib/.automation")
-            else os.path.relpath(
-                os.path.relpath(
-                    os.path.dirname(os.path.abspath(__file__)) + "/../TEMPLATES"
-                )
-            )
-        )
+        self.default_rules_location = utils.get_default_rules_location()
         # User-defined rules location
         self.linter_rules_path = self.github_workspace + os.path.sep + ".github/linters"