trufflehog icon indicating copy to clipboard operation
trufflehog copied to clipboard

Published 20 hours ago verified publisher icon trufflesecurity

How can I run the github action in filesystem mode?

Open erawhctim opened this issue 3 months ago • 1 comments

Here's an example of my GHA workflow:

  scan-secrets
    name: "Scan for secrets via trufflehog action"
    runs-on: ubuntu-latest
    needs: [build]
    steps:
      - uses: actions/checkout@v4

      - name: download APK from artifacts
        uses: actions/download-artifact@v4
        with:
          name: ${{ needs.build.outputs.release-apk-artifact-name }}
          path: ./build-for-scanning

      - uses: trufflesecurity/trufflehog@main
        with:
          extra_args: filesystem --debug --config=.github/trufflehog-config.yml ./build-for-scanning/app.apk

which doesn't work and prints this error output: trufflehog: error: unexpected filesystem, try --help

Full output 
  ##########################################
  ##          Run TruffleHog              ##
  ##########################################
  docker run --rm -v .:/tmp -w /tmp \
  ghcr.io/trufflesecurity/trufflehog:${VERSION} \
  git file:///tmp/ \
  --since-commit \
  ${BASE:-''} \
  --branch \
  ${HEAD:-''} \
  --fail \
  --no-update \
  --github-actions \
  ${ARGS:-''}
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
  env:
    BASE: 
    HEAD: 
    ARGS: filesystem --config=.github/trufflehog-config.yml ./yellow-build-for-scanning/app.apk
    COMMIT_IDS: []
    VERSION: latest
Unable to find image 'ghcr.io/trufflesecurity/trufflehog:latest' locally
latest: Pulling from trufflesecurity/trufflehog
f18232174bc9: Pulling fs layer
a308771bf1d8: Pulling fs layer
4f4fb700ef54: Pulling fs layer
be1f57adb53d: Pulling fs layer
7fb20409f32b: Pulling fs layer
7fb20409f32b: Waiting
be1f57adb53d: Waiting
4f4fb700ef54: Verifying Checksum
4f4fb700ef54: Download complete
f18232174bc9: Verifying Checksum
f18232174bc9: Download complete
a308771bf1d8: Verifying Checksum
a308771bf1d8: Download complete
7fb20409f32b: Verifying Checksum
7fb20409f32b: Download complete
be1f57adb53d: Verifying Checksum
be1f57adb53d: Download complete
f18232174bc9: Pull complete
a308771bf1d8: Pull complete
4f4fb700ef54: Pull complete
be1f57adb53d: Pull complete
7fb20409f32b: Pull complete
Digest: sha256:e6d0180c4fce66c6bb18b4b08ad1eab3eb6024e57034a1f0efc91e571adda4a2
Status: Downloaded newer image for ghcr.io/trufflesecurity/trufflehog:latest
trufflehog: error: unexpected filesystem, try --help
Error: Process completed with exit code 1.

Most of the docs seem to point to scanning the repo files as the primary use case. Is there a way to run the action with filesystem mode and supply a binary file (Android APK) to scan?

erawhctim avatar Jul 02 '25 19:07 erawhctim