Trufflehog scan fails when action is in initial commit

bobidle commented 2 weeks ago

TruffleHog Version

Running the latest version of TruffleHog via uses: trufflesecurity/trufflehog@main

Trace Output

https://gist.github.com/bobidle/901838a7c777cf91f374db8b51e69938

Expected Behavior

TruffleHog should scan the initial commit..

Actual Behavior

Process completed with exit code 128

Steps to Reproduce

Create an empty repository
Clone the repository locally
Create folder .github/workflows and file .github/workflows/trufflehog.yaml
Add the general usage example to the file https://github.com/trufflesecurity/trufflehog?tab=readme-ov-file#general-usage
git add ... & git commit ... & git push
Check result of GitHub action.

Environment

GitHub workflow with ubuntu-latest

References

https://github.com/bobidle/th_demo_template/blob/main/.github/workflows/trufflehog.yaml

rgmz commented 1 week ago

The error is interesting: commit b9b115394405ca896c845359a03d5012fa5a6c34 exists in the repository but the action is trying to checkout b9b115394405ca896c845359a03d5012fa5a6c34~1.

fatal: ambiguous argument 'b9b115394405ca896c845359a03d5012fa5a6c34~1'

bobidle commented 1 week ago

The error message is from git rev-parse $HEAD~$COMMIT_LENGTH, reducing $COMMIT_LENGTH by one does not help as this excludes one commit from the scan.

It could be fixed by setting BASE="" (see my linked pull request), but it is possible that i miss something else.

bobidle commented 1 week ago

Test repositories and jobs

failing with main branch
- https://github.com/bobidle/th_demo_init1/blob/main/.github/workflows/trufflehog.yaml
- https://github.com/bobidle/th_demo_init1/actions/runs/11780660512/job/32811728285
successful scan withfix_init_commit branch
- https://github.com/bobidle/th_demo_init2/blob/main/.github/workflows/trufflehog.yaml
- https://github.com/bobidle/th_demo_init2/actions/runs/11780841628/job/32812571192

trufflesecurity / trufflehog