trufflehog icon indicating copy to clipboard operation
trufflehog copied to clipboard

Published 20 hours ago verified publisher icon trufflesecurity

trufflehog:ignore - buildkite - gh action

Open sean-sype-simmons opened this issue 8 months ago • 2 comments
trafficstars

Please review the Community Note before submitting

TruffleHog Version

Status: Downloaded newer image for ghcr.io/trufflesecurity/trufflehog:latest gh action: trufflehog 3.88.15

Trace Output

https://gist.github.com/sean-simmons-progress/d62a2103910865f54fd3c1f399d32641

Expected Behavior

With the trufflehog:ignore set on any line, it should skip that line correct?

Actual Behavior

It fails the PR because its claiming that the secret is unverified. Its not even a secret, this is a git commit sha thats used to checkout a specific version of a plugin:

EX:

  - foo-bar:
      valuebool: true
      fileDefinitio: .pathtoFile.yml
      env:
        - PLUGIN_TOOL: e5637ca1ed34a227eba86ae30761010f308b2d1b

even when setting the ignore value, it still fails:

  - foo-bar:
      valuebool: true
      fileDefinitio: .pathtoFile.yml
      env:
        - PLUGIN_TOOL: e5637ca1ed34a227eba86ae30761010f308b2d1b #trufflehog:ignore

https://docs.github.com/en/pull-requests/committing-changes-to-your-project/creating-and-editing-commits/about-commits#about-commits

Steps to Reproduce

Setup a trufflehog action add a line on any file that allows lines with #trufflehog:ignore - that contains a test secret commit it back to source open a PR run the action against the PR.

it should fail the PR.

Additional Context

in order to fix this I have to pass a: --exclude-detectors="Buildkite" in the extra_args:

name: trufflehog secret scan
on:
  workflow_dispatch:
  pull_request:
    branches: [ main ]

jobs:
  TruffleHog:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      
      - name: TruffleHog secret scan
        uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          extra_args: --log-level=5 --exclude-detectors="Buildkite"
        continue-on-error: false

References

  • #0000

sean-sype-simmons avatar Mar 13 '25 17:03 sean-sype-simmons

Hi there! Thank you for taking the time to open this issue, we really appreciate your contribution to the project! We’ll take a look and get back to you as soon as we can. If we need any clarification, we’ll follow up here.

Thanks again for helping make this project better!

shahzadhaider1 avatar May 20 '25 06:05 shahzadhaider1

Confirmed this with a different yaml file. Ignore comment is not working.

jzielke84 avatar Aug 04 '25 19:08 jzielke84

There is a line in an ArgoCD manifest that has a JDBC database URL, but there are no usernames or passwords in that line, and Trufflehog is still reporting that false-positive. It's part of a multi-line string of values to pass into a Helm chart. Adding # trufflehog:ignore to both the line itself and the start of the values: | line both do not work.

The only other workaround would be to ignore the file entirely, although this is less than ideal.

davidjoliver86 avatar Oct 02 '25 00:10 davidjoliver86