From 5bed79620b73bde161660131e6e7965c49ae3056 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Guillermo=20Sanz=20L=C3=B3pez?=
 <guillermo.sanzlopez@telefonica.com>
Date: Thu, 26 Feb 2026 09:50:48 +0100
Subject: [PATCH] update trufflehog version

---
 sdk/templates/ci_dev.gitlab-ci.yml     | 20 +++++++++++++++++---
 sdk/templates/ci_staging.gitlab-ci.yml | 17 ++++++++++++++---
 2 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/sdk/templates/ci_dev.gitlab-ci.yml b/sdk/templates/ci_dev.gitlab-ci.yml
index 5af34fd..b00cd24 100644
--- a/sdk/templates/ci_dev.gitlab-ci.yml
+++ b/sdk/templates/ci_dev.gitlab-ci.yml
@@ -22,11 +22,25 @@ dev_secrets_in_repo:
     - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
       when: never
     - when: always
+  # script:
+  #   - |
+  #     pip install trufflehog
+  #     cd ../
+  #     trufflehog filesystem sdk --exclude-paths sdk/cicd/exclusions --max-depth 5
   script:
     - |
-      pip install trufflehog
-      cd ../
-      trufflehog filesystem sdk --exclude-paths sdk/cicd/exclusions --max-depth 5
+      set -euo pipefail
+
+      # 1) Descargar trufflehog v3 (binario) en vez del "trufflehog" de pip (v2)
+      TRUF_VER="v3.82.0"
+      ARCH="linux_amd64"   # si tus runners son amd64
+      curl -sSL -o /tmp/trufflehog.tgz "https://github.com/trufflesecurity/trufflehog/releases/download/${TRUF_VER}/trufflehog_${TRUF_VER#v}_${ARCH}.tar.gz"
+      tar -xzf /tmp/trufflehog.tgz -C /usr/local/bin trufflehog
+      trufflehog --version
+
+      # 2) Ejecutar scan sobre la carpeta sdk
+      # OJO: usa el fichero real de exclusiones (ajusta si no está en cicd/exclusions)
+      trufflehog filesystem sdk --exclude-paths cicd/exclusions --max-depth 5
   <<: *dev_common
 
 # define the process to do linting code: ruff
diff --git a/sdk/templates/ci_staging.gitlab-ci.yml b/sdk/templates/ci_staging.gitlab-ci.yml
index d3c5e56..736a85e 100644
--- a/sdk/templates/ci_staging.gitlab-ci.yml
+++ b/sdk/templates/ci_staging.gitlab-ci.yml
@@ -31,11 +31,22 @@ variables:
 
 staging_secrets_in_repo:
   stage: staging_secrets_in_repo
+  # script:
+  #   - |
+  #     pip install trufflehog
+  #     cd ../
+  #     trufflehog filesystem capif --exclude-paths capif/cicd/exclusions --max-depth 5
   script:
     - |
-      pip install trufflehog
-      cd ../
-      trufflehog filesystem capif --exclude-paths capif/cicd/exclusions --max-depth 5
+      set -euo pipefail
+
+      TRUF_VER="v3.82.0"
+      ARCH="linux_amd64"
+      curl -sSL -o /tmp/trufflehog.tgz "https://github.com/trufflesecurity/trufflehog/releases/download/${TRUF_VER}/trufflehog_${TRUF_VER#v}_${ARCH}.tar.gz"
+      tar -xzf /tmp/trufflehog.tgz -C /usr/local/bin trufflehog
+      trufflehog --version
+
+      trufflehog filesystem capif --exclude-paths cicd/exclusions --max-depth 5
   <<: *staging_common
 
 # define the process to do linting code: ruff
-- 
GitLab