Closed wandering-tales closed 6 months ago
jasonhills-drata
commented
6 months ago It appears that --only-verified was completely removed from the code in 3.70.0, which was not the intent of https://github.com/trufflesecurity/trufflehog/pull/2372 per comments.
arshadkazmi42
commented
6 months ago As per the PR, new flag is --results=verified but that also does not seems to be working.
nvuillam
commented
6 months ago Same issue detected here, I had to disable trufflehog :/
I think #2372 change might have broken something.
The default command line arguments for trufflehog in Megalinter explicitly use the
--only-verifiedoption to avoid false positive on the.git/configfile (as per https://github.com/oxsecurity/megalinter/pull/2838).Today I have stumbled upon a false positive on exactly that
.git/configfile and, as it is visible from the GHA log in the gist linked below, that is an unverified result which should have been excluded by that option.Besides, this failure started to occur suddenly, even though the pinned version of trufflehog in Megalinter is 3.69.0. After some digging I have discovered the cause is the fact that trufflehog seems to auto-update itself when run. I have addressed that in https://github.com/oxsecurity/megalinter/pull/3430 by explicitly adding the
--no-updateoption.TruffleHog Version
Version is 3.70.0, as it may be visible in the GitHub Actions log excerpt linked in the gist below.
Trace Output
https://gist.github.com/wandering-tales/51311d13eccf03a3b27388069dbcd0a4
Expected Behavior
The
--only-verifiedoption should have filtered out unverified resultsActual Behavior
An unverified result was included in the final report causing the command to fail.
Steps to Reproduce
I cannot reproduce it locally. It looks like a false positive occurring solely in GitHub Action CI environments.
Environment