trufflehog icon indicating copy to clipboard operation
trufflehog copied to clipboard

Published 20 hours ago verified publisher icon trufflesecurity

Running as Github composite action

Open radoslav-stefanov opened this issue 2 years ago • 6 comments

Hi!

Trying to run this as a Github composite action. For some reason it does not detect any secrets even though I have multiple vulnerable files.

Here is the action:

name: TruffleHog
description: TruffleHog scan

inputs:
  fetch-depth:
    required: false
    description: 'Number of commits to fetch during checkout. 0 indicates all history for all branches and tags'
    default: '0'

runs:
  using: "composite"
  steps:
    - name: Checkout code
      uses: actions/checkout@v4
      with:
        path: code
        fetch-depth: ${{ inputs.fetch-depth }}

    - name: TruffleHog OSS
      uses: trufflesecurity/trufflehog@main
      with:
        path: ./code
        base: ${{ github.event.repository.default_branch }}
        head: HEAD
        extra_args: --debug

When I test my repo locally or without using a composite it is working as expected. Any tip what I might be missing?

docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest filesystem .

2023-11-03T16:26:23Z	info-0	trufflehog	finished scanning	{"chunks": 24393, "bytes": 323720844, "verified_secrets": 0, "unverified_secrets": 107, "scan_duration": "17.616903094s"}

radoslav-stefanov avatar Nov 03 '23 16:11 radoslav-stefanov

What's the output from the action? Do the chunks and bytes look similar?

rgmz avatar Nov 03 '23 16:11 rgmz

What's the output from the action? Do the chunks and bytes look similar?

Sorry forgot to include it.

Run actions/checkout@v4
  with:
    path: code
    fetch-depth: 0
    repository: ***
    token: ***
    ssh-strict: true
    persist-credentials: true
    clean: true
    sparse-checkout-cone-mode: true
    fetch-tags: false
    show-progress: true
    lfs: false
    submodules: false
    set-safe-directory: true
  env:
    PROJECT: ***
Syncing repository: ***
Getting Git version info
Temporarily overriding HOME='/home/runner/work/_temp/2e9879a0-f71f-4f8f-ac17-6e8bcb058e0b' before making global git config changes
Adding repository directory to the temporary git global config as a safe directory
/usr/bin/git config --global --add safe.directory /home/runner/work/wordpress-php-fpm/wordpress-php-fpm/code
Initializing the repository
Disabling automatic garbage collection
Setting up auth
Fetching the repository
Determining the checkout info
Checking out the ref
  /usr/bin/git checkout --progress --force -B master refs/remotes/origin/master
  Reset branch 'master'
  branch 'master' set up to track 'origin/master'.
/usr/bin/git log -1 --format='%H'
'f3a9054b[35](https://github.com/***/actions/runs/6747744224/job/18344567305#step:3:37)0484421f0a81d719a61f2fb86aef73'
Run trufflesecurity/trufflehog@main
  with:
    path: ./code
    base: master
    head: HEAD
    extra_args: --debug
  env:
    PROJECT: ***
/usr/bin/docker run --name ghcriotrufflesecuritytrufflehoglatest_1253d6 --label a0a7[40](https://github.com/***/actions/runs/6747744224/job/18344567305#step:3:42) --workdir /github/workspace --rm -e "PROJECT" -e "INPUT_PATH" -e "INPUT_BASE" -e "INPUT_HEAD" -e "INPUT_EXTRA_ARGS" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "GITHUB_ACTION_PATH" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/wordpress-php-fpm/wordpress-php-fpm":"/github/workspace" ghcr.io/trufflesecurity/trufflehog:latest  "git" "file://./code" "--since-commit" "master" "--branch" "HEAD" "--fail" "--no-update" "--github-actions" "--debug"
2023/11/03 16:21:28 [updater parent] run
2023/11/03 16:21:28 [updater parent] starting /usr/bin/trufflehog
2023/11/03 16:21:28 [updater child#1] run
2023/11/03 16:21:28 [updater child#1] start program
2023-11-03T16:21:28Z	info-2	trufflehog	trufflehog 3.62.1
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

2023-11-03T16:21:28Z	info-2	trufflehog	starting scanner workers	{"count": 1}
2023-11-03T16:21:28Z	info-2	trufflehog	starting detector workers	{"count": 50}
2023-11-03T16:21:28Z	info-2	trufflehog	starting notifier workers	{"count": 1}
2023-11-03T16:21:28Z	info-1	trufflehog	cloned repo	{"path": "./code"}
2023-11-03T16:21:28Z	info-1	trufflehog	scanning repo	{"job_id": 1, "source_manager_worker_id": "Ob2SL", "source_type": "SOURCE_TYPE_GIT", "source_name": "trufflehog - git", "repo": "https://github.com/***, "base": "f3a9054b350484[42](https://github.com/***actions/runs/6747744224/job/18344567305#step:3:44)1f0a81d719a61f2fb86aef73", "head": "f3a9054b35048[44](https://github.com/B***/actions/runs/6747744224/job/18344567305#step:3:46)21f0a81d719a61f2fb86aef73"}
2023-11-03T16:21:28Z	info-1	trufflehog	reached base commit	{"job_id": 1, "source_manager_worker_id": "Ob2SL", "source_type": "SOURCE_TYPE_GIT", "source_name": "trufflehog - git", "repo": "https://github.com/***", "commit": "f3a9054b350[48](https://github.com/***/actions/runs/6747744224/job/18344567305#step:3:50)4421f0a81d719a61f2fb86aef73"}
2023-11-03T16:21:28Z	info-1	trufflehog	scanning staged changes	{"job_id": 1, "source_manager_worker_id": "Ob2SL", "source_type": "SOURCE_TYPE_GIT", "source_name": "trufflehog - git", "path": "./code"}
2023-11-03T16:21:28Z	info-2	trufflehog	finished parsing git log.	{"job_id": 1, "source_manager_worker_id": "Ob2SL", "source_type": "SOURCE_TYPE_GIT", "source_name": "trufflehog - git", "total_log_size": 0}
2023-11-03T16:21:28Z	info-1	trufflehog	scanning git repo complete	{"job_id": 1, "source_manager_worker_id": "Ob2SL", "source_type": "SOURCE_TYPE_GIT", "source_name": "trufflehog - git", "repo": "https://github.com/***", "path": "./code", "time_seconds": 0, "commits_scanned": 0}
2023-11-03T16:21:28Z	info-1	trufflehog	Git source finished scanning	{"job_id": 1, "source_manager_worker_id": "Ob2SL", "source_type": "SOURCE_TYPE_GIT", "source_name": "trufflehog - git", "repo_count": 1}
2023-11-03T16:21:28Z	info-0	trufflehog	finished scanning	{"chunks": 0, "bytes": 0, "verified_secrets": 0, "unverified_secrets": 0, "scan_duration": "22.482028ms"}
2023/11/03 16:21:28 [updater parent] prog exited with 0

radoslav-stefanov avatar Nov 03 '23 16:11 radoslav-stefanov 

2023/11/03 16:21:28 [updater parent] prog exited with 0

It seems that it's getting killed before the scan can complete. I actually just started facing this bug and was going to report it.

Try including --no-update in the list of args and see if that fixes it.

~Edit: I believe the culprit is https://github.com/trufflesecurity/trufflehog/blame/7a156330b51c14f3b7ee8a3e0aa74d17454cbb57/main.go#L242, which causes the program to exit when the update check fails.~ Nevermind.

rgmz avatar Nov 03 '23 16:11 rgmz

--no-update is already included as default, so it fails if I add it again.

I can workaround it by manually installing with the install script and then scan, but I would prefer to use the action.

radoslav-stefanov avatar Nov 03 '23 16:11 radoslav-stefanov

This is how I ended up using it for now.

name: TruffleHog
description: TruffleHog scan

inputs:
  fetch-depth:
    required: false
    description: 'Number of commits to fetch during checkout. 0 indicates all history for all branches and tags.'
    default: '1'

  pr-branch-name:
    required: true
    description: 'Target PR branch name.'

runs:
  using: "composite"
  steps:
    - name: Checkout code
      uses: actions/checkout@v4
      with:
        path: code
        fetch-depth: ${{ inputs.fetch-depth }}

    - name: Install Trufflehog
      shell: bash
      run: curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin

    - name: Run scan
      shell: bash
      working-directory: code
      run: |
        if [ "${{ inputs.pr-branch-name }}" = "master" ]; then
          trufflehog git file://. --fail --github-actions
        else
          trufflehog git file://. --since-commit master --branch ${{ inputs.pr-branch-name }} --fail --github-actions --no-update
        fi

radoslav-stefanov avatar Nov 03 '23 21:11 radoslav-stefanov

@radoslav-stefanov there has been some significant changes to the gha recently: https://github.com/trufflesecurity/trufflehog/blob/main/action.yml

Try using the default config and see if that works for you: https://github.com/trufflesecurity/trufflehog/?tab=readme-ov-file#general-usage

zricethezav avatar Feb 16 '24 21:02 zricethezav