Trufflehog does not consider commits in quarantine when ran as a pre-receive hook

[mukesh-dream11]

TruffleHog Version

trufflehog 3.88.23

Trace Output

https://gist.github.com/mukesh-dream11/246820fa9d57c4019776f77a51856f67

Expected Behavior

After git push, trufflehog should detect the secret, fail with an error code and thus prevent the push from happening.

Actual Behavior

Trufflehog does not detect the secret, since the offending commit is in the quarantine area when the pre-receive hook is invoked.

Steps to Reproduce

Run the following script:

#!/bin/bash

rm -rf test-base.git test-workdir

git init --bare test-base.git
cat > test-base.git/hooks/pre-receive << '_EOF'
#!/bin/bash -e
while read oldrev newrev refname; do
  if [[ "$oldrev" =~ ^0{40}$ ]]; then
    trufflehog --no-update --log-level=5 git file://. --bare --only-verified --fail
  else
    trufflehog --no-update --log-level=5 git file://. --bare --since-commit="$oldrev" --only-verified --fail
  fi
done
_EOF
chmod +x test-base.git/hooks/pre-receive

git clone test-base test-workdir
cd test-workdir

# The following step should fail, but does not
echo "https://admin:[email protected]/basic_auth" >> README.md && git add . && git commit -m test && git push

# After the push is successful and the ref is updated, manually running trufflehog again will fail as expected
echo "Running trufflehog manually post ref update"
cd ../test-base.git
trufflehog --no-update --log-level=5 git file://. --bare --only-verified --fail

Environment

• OS: macOS
• Version Sequoia 15.3.2

References

1. https://git-scm.com/docs/git-receive-pack#_quarantine_environment