Closed wandering-tales closed 6 months ago
It appears that --only-verified was completely removed from the code in 3.70.0, which was not the intent of https://github.com/trufflesecurity/trufflehog/pull/2372 per comments.
As per the PR, new flag is --results=verified
but that also does not seems to be working.
Same issue detected here, I had to disable trufflehog :/
I think #2372 change might have broken something.
The default command line arguments for trufflehog in Megalinter explicitly use the
--only-verified
option to avoid false positive on the.git/config
file (as per https://github.com/oxsecurity/megalinter/pull/2838).Today I have stumbled upon a false positive on exactly that
.git/config
file and, as it is visible from the GHA log in the gist linked below, that is an unverified result which should have been excluded by that option.Besides, this failure started to occur suddenly, even though the pinned version of trufflehog in Megalinter is 3.69.0. After some digging I have discovered the cause is the fact that trufflehog seems to auto-update itself when run. I have addressed that in https://github.com/oxsecurity/megalinter/pull/3430 by explicitly adding the
--no-update
option.TruffleHog Version
Version is 3.70.0, as it may be visible in the GitHub Actions log excerpt linked in the gist below.
Trace Output
https://gist.github.com/wandering-tales/51311d13eccf03a3b27388069dbcd0a4
Expected Behavior
The
--only-verified
option should have filtered out unverified resultsActual Behavior
An unverified result was included in the final report causing the command to fail.
Steps to Reproduce
I cannot reproduce it locally. It looks like a false positive occurring solely in GitHub Action CI environments.
Environment