--since-commit stopped working in v3.67.4

[kpocius]

TruffleHog Version

3.67.4

Trace Output

N/A

Expected Behavior

Only scan branch commits since base.

Actual Behavior

Scan continues across all history.

Steps to Reproduce

Run the following on a branch of the repo which has some pre-existing secrets in history:

docker run --rm -v "$PWD:/scan" ghcr.io/trufflesecurity/trufflehog:3.67.4 git file:///scan --since-commit master --branch some_branch_name --fail --no-update --github-actions --only-verified

Environment

N/A

Additional Context

N/A

References

It seems that some change was introduced in #2387 where it never reaches base commit and just proceeds scanning entire history.

• #0000

[zricethezav]

Thanks for opening this issue @kpocius. We'll take a look.

@ahrav looks like we may have missed something here

[ltbringer]

We noticed this issue in a couple of repositories today. Is there a release planned? I see #2398 and #2393 are both merged.
If it could take a while, is there a workaround that I can apply at my end?

[ahrav]

We noticed this issue in a couple of repositories today. Is there a release planned? I see #2398 and #2393 are both merged. If it could take a while, is there a workaround that I can apply at my end?

Just tagged v3.67.5 We are still looking into the root cause. Sorry for the inconvenience.

[zricethezav]

@ltbringer https://github.com/trufflesecurity/trufflehog/releases/tag/v3.67.5 just released a new version a minute ago

[kpocius]

Just tested with 3.67.5 -- the issue seems to persist. I can provide a trace, if that's helpful, but comparing it to 3.67.3 I don't see anything useful, except that it never reaches this:

2024-02-08T17:16:05Z	info-1	trufflehog	reached base commit	{"source_manager_worker_id": "0Vr5U", "unit": "/scan", "repo": "git@github.com:OWNER/REPO.git", "commit": "1acaf34"}

[ltbringer]

I faced a different issue when testing:

logs:

Run trufflesecurity/trufflehog@v3.67.5
  with:
    path: ./
    base: main
    head: HEAD
    extra_args: --debug
    version: latest
/__w/_temp/351f10b1-ee98-4321-a138-7046fd87616b.sh: line 48: docker: command not found

[ahrav]

Would anyone happen to have an example I can work with? Testing this locally I am currently unable to reproduce the broken behavior. If anyone has a publicly accessible repo, or a test setup it would be greatly appreciated. Thanks.

[kpocius]

@ahrav, I've set up a demo of the issue here https://github.com/kpocius/trufflehog/pull/4

[ahrav]

hey @kpocius I can't thank you enough for taking the time and effort to put together that test setup, i really appreciate it. I've requested a review on the PR attached to this issue. Once that gets merged in i'll cut a release which I believe should fix the issue. Thanks again, and I apologize for lengthy wait to get this fix out.

[kpocius]

Lengthy wait? This is probably one of the fastest turnarounds I've seen 🙂 So if there's anyone we should be thanking, it's you! Happy to help.

[ahrav]

Hey @kpocius v3.67.6 should be tagged. i think this issue auto-closed after the PR got merged. Could you give it a test and let me know if the issue is resolved. If not, i'll go ahead and re-open this. Thanks again for you help getting this resolved. 😄

[kpocius]

@ahrav, works like a charm! Thank you.