trufflehog
trufflehog copied to clipboard
trufflesecurity
Github Action on pull request not behaving as expected
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
TruffleHog Version
trufflesecurity/[email protected]
Trace Output
I made a very simple test here: https://github.com/xNok/demo-trufflehog.
- Generate an SSH key and commit it to the branch
leaking-some-secrets - Open a PR from
leaking-some-secrets->mian - merger the PR (despite the leaked SSH key`
- Generate more SSH key-pair and commit them to the branch
leak-more-secrets - Create a PR from
leak-more-secrets->main
* 299067a (HEAD -> leak-more-screts, origin/leak-more-screts) test: more ssh key
* 81d398d (origin/main, main) Merge pull request #1 from xNok/leaking-some-secrets
|\
| * 642ec05 (origin/leaking-some-secrets, leaking-some-secrets) test: ssh key
| * 746385a test: more tokens
| * 060f111 test slack token
|/
* 5822504 Create trufflehog.yml
* 24a0ce3 first commit
Expected Behavior
the PR from leak-more-secrets -> main should only report the second SSH key, not the first one, because trufflehog should scan from origin/main to HEAD.
Actual Behavior
The first leaked SSH key is reported (while is should not) The second SSH key is not reported (while it should)
Steps to Reproduce
- Generate an SSH key and commit it to the branch
leaking-some-secrets - Open a PR from
leaking-some-secrets->mian - merger the PR (despite the leaked SSH key`
- Generate more SSH key-pair and commit them to the branch
leak-more-secrets - Create a PR from
leak-more-secrets->main
Environment
name: Leaked Secrets Scan
on: [pull_request]
jobs:
TruffleHog:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: TruffleHog OSS
uses: trufflesecurity/[email protected]
with:
path: ./
base: ${{ github.event.repository.default_branch }}
head: HEAD
Additional Context
References
- #0000
I've experienced this issue as well. It seems to me that if the latest commit on the default_branch does not exist in HEAD then it causes trufflehog to just scan the entire git history.
I was able to work around this issue by adding the following into my workflow before executing trufflehog:
- name: Update branch
run: git merge origin/${{ github.event.repository.default_branch }}
I've experienced this issue as well. It seems to me that if the latest commit on the
default_branchdoes not exist inHEADthen it causes trufflehog to just scan the entire git history.I was able to work around this issue by adding the following into my workflow before executing trufflehog:
- name: Update branch run: git merge origin/${{ github.event.repository.default_branch }}
I guess handling of conflicts is not an use case for the workaround (Just being Captain Obvious, as I was about to suggest using it ourselves :))
The reported fix worked in one of our company repos, but I'm still seeing behavior in others where it is flagging secrets that are not in the PR commits.
I'll take more time this evening or tomorrow to see if I just have something configured wrong, but the only inputs I am providing as the default branch as base and then the HEAD input (as shown in the examples in the Trufflehog README).
@RyanRennCN This workflow worked for us: https://github.com/foursixnine/os-autoinst-distri-opensuse/actions/runs/3107033239/workflow
Note that it had to be first in master for this to work, at least on a branch several commits behind master.