-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
shallow cloning + GitHub Action #2138
Conversation
(1) and (3) seem like great improvements. I find myself skeptical of (2) and (5) - personally, I prefer CI actions that are explicit, granular, and as un-magical as possible. Batteries-included actions are great when they work, but as soon as they don't, I'm left with a paucity of options to debug. But! I claim no authority for this opinion, and you interact with other developers who use this more than I do, so I'll defer to the judgment of the crowd. |
I think that's a totally fair response. The two main set-up difficulties that I'm trying to abstract for users is: (1) conducting a git shallow clone, and (2) counting commits in pushes, so that the entire push can be easily scanned. If the better option is to write up two new documentation sections and add a new flag (or two) to the existing GH Action structure, I'm happy to do that. |
This is the only one I have issue with. To echo @rosecodym; this is abstracting away the modularity/granularity of a composable CI/CD pipeline. Since we can generally assume most users will consume this as part of a larger pipeline, they're going to end up checking out their code twice. That being said, it's also clear that's what's needed to abstract away the cloning options needed to make this work. I'm not sure there's an alternative and this may just need to be a compromise. |
action.yml
Outdated
if: ${{ inputs.full_repo == 'false' }} | ||
|
||
########################### | ||
## FULL REPO SCAN STEPS ## |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thought: the term FULL REPO
has the potential to confuse some folks. This is something I saw at GitLab and w/ gitleaks-action; people would be confused about whether they were scanning the filesystem or the full git history. I think it would be useful to either change the name from full_repo
to full_git_history
or document that full_repo
is scanning the entire history.
I think this is as good plan |
I searched on GitHub for instances of repos using TH's GH Action and found some interesting results:
This is one common setup:
Here's another one that I saw:
In my testing, these do not actually scan anything. TH looks like it runs (which it technically does), but it scans 0 chunks of data. This seems like something that deserves immediate attention since users believe they're invoking TH, but they are not.
Surprisingly, this same repo also calls out shallow cloning, saying in some cases TH will fail without an error if a shallow clone is used. I'm not sure why or how that would be the case. |
@joeleonjr is this problem
resolved by this pr? |
Yes and no. This PR addresses that issue; however, it uses a new set of flags. There's a whole set of folks using the current GH Action (and different flags), that would need to upgrade their action. Since most folks won't proactively do that, we probably should issue a patch for the current action that addresses this. One idea suggested was to check if the values passed into I'll also note that @zricethezav shared the gitleaks implementation and this PR needs to address the Finally, I know folks were split on including the git cloning logic inside the action. Depending on where that ends up, this PR might need some small updates. |
Just pushed a major update to the PR. A few changes:
|
Since (as you reported) many users were mistakenly scanning nothing, does that mean that their pipelines will suddenly stop completing successfully once this goes out? I'm not saying that's necessarily bad, I just want to be sure. |
else | ||
head_commit="" | ||
fi | ||
if [ $base_commit == $head_commit ] ; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thought (non-blocking): I could see how users might want to scan a single commit. As a user I don't want to determine the range, I just want to provide a single commit. We could change the base==head behavior to scan base/head against closets parent commit.
Just a thought, this isn't blocking and we could revisit this down the line.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Definitely a valid use case. I'm open to adjusting this. I think we should ship this asap since some folks aren't scanning commits atm and think they are. But I'm down to think through what the behavior should look like.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Separately, I'm reviewing this code before merging in and I'm looking at this line if [ $base_commit == $head_commit ] ; then
. Do you think there are folks that leave base
equal to ''
and head
equal to ''
, so that they can trigger a full git repository history scan? @zricethezav
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just left a non-blocking comment for discussion. I think this PR is good to go. Huge huge huge improvement, thanks Joe!
Hi @joeleonjr, it turns out this commit broke my workflow. I'm using self-hosted GitHub Actions runner for my organization, and I'm guarantee CI environment isolation by running the CI via Docker. This PR removes the Docker image and it fails on everyone who uses Docker container base on their GitHub Actions. Here's my GitHub Actions output: I'm not saying we should revert this PR, as from what I read this is a good direction going forward. What we can do is providing a documentation on the README that points out that the current quickstart for GitHub Actions won't work if you're using a container base. A small reproduction would be this (you can run this on both self-hosted runner and SaaS -- or GitHub-hosted runners): name: PR
on:
pull_request:
jobs:
ci:
name: CI
container: golang:bookworm # This is the part that defines the container base image
runs-on: "ubuntu-latest"
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: TruffleHog OSS
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.repository.default_branch }}
head: HEAD
extra_args: --debug --only-verified |
Thanks for bringing this to our attention. I think I have a solution that would require an update to the TruffleHog action.yml file. I'm proposing a check to determine whether the action is already containerized. If so, then it will install golang, clone/build TruffleHog and then run TruffleHog. If not, it will just use the dockerized version. Do you mind @aldy505 letting me know if this works for your use case?
Note: If this works, then you'd be able to use the TruffleHog action just like you showed in the "small reproduction" you provided above. |
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [trufflesecurity/trufflehog](https://togithub.com/trufflesecurity/trufflehog) | action | minor | `v3.63.5` -> `v3.67.5` | --- ### Release Notes <details> <summary>trufflesecurity/trufflehog (trufflesecurity/trufflehog)</summary> ### [`v3.67.5`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.67.5) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.67.4...v3.67.5) #### What's Changed - Fix handling of GitHub ratelimit information by [@​rgmz](https://togithub.com/rgmz) in [trufflesecurity/trufflehog#2041 - Set GHA workdir by [@​zricethezav](https://togithub.com/zricethezav) in [trufflesecurity/trufflehog#2393 - Allow CLI version pinning in GHA ([#​2397](https://togithub.com/trufflesecurity/trufflehog/issues/2397)) by [@​skeweredlogic](https://togithub.com/skeweredlogic) in [trufflesecurity/trufflehog#2398 - \[bug] - prevent concurrent map writes by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2399 - Allow multiple domains for Forager by [@​dustin-decker](https://togithub.com/dustin-decker) in [trufflesecurity/trufflehog#2400 - Update GitParse to handle quoted binary filenames by [@​rgmz](https://togithub.com/rgmz) in [trufflesecurity/trufflehog#2391 - \[feat] - buffered file writer metrics by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2395 #### New Contributors - [@​skeweredlogic](https://togithub.com/skeweredlogic) made their first contribution in [trufflesecurity/trufflehog#2398 **Full Changelog**: trufflesecurity/trufflehog@v3.67.4...v3.67.5 ### [`v3.67.4`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.67.4) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.67.3...v3.67.4) #### What's Changed - \[feat] - use diff chan by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2387 **Full Changelog**: trufflesecurity/trufflehog@v3.67.3...v3.67.4 ### [`v3.67.3`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.67.3) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.67.2...v3.67.3) #### What's Changed - Disable GitHub wiki scanning by default by [@​rosecodym](https://togithub.com/rosecodym) in [trufflesecurity/trufflehog#2386 - Fix binary file hanging bug in git sources by [@​mcastorina](https://togithub.com/mcastorina) in [trufflesecurity/trufflehog#2388 - tightening opsgenie detection and verification by [@​dylanTruffle](https://togithub.com/dylanTruffle) in [trufflesecurity/trufflehog#2389 - Make `SkipFile` case-insensitive by [@​rgmz](https://togithub.com/rgmz) in [trufflesecurity/trufflehog#2383 - \[not-fixup] - Reduce memory consumption for Buffered File Writer by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2377 **Full Changelog**: trufflesecurity/trufflehog@v3.67.2...v3.67.3 ### [`v3.67.2`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.67.2) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/3.67.1...v3.67.2) #### What's Changed - \[bug] - unhashable map key by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2374 - custom detector docs improvement by [@​dxa4481](https://togithub.com/dxa4481) in [trufflesecurity/trufflehog#2376 - \[fixup] - correctly use the buffered file writer by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2373 **Full Changelog**: trufflesecurity/trufflehog@v3.67.1...v3.67.2 ### [`v3.67.1`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.67.1) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/3.67.1...3.67.1) #### What's Changed - \[chore] Cleanup GitLab source errors by [@​mcastorina](https://togithub.com/mcastorina) in [trufflesecurity/trufflehog#2345 - \[feat] - concurently scan the filesystem source by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2364 **Full Changelog**: trufflesecurity/trufflehog@3.67.1...v3.67.1 ### [`v3.67.1`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.67.1) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.67.0...3.67.1) ##### What's Changed - \[chore] Cleanup GitLab source errors by [@​mcastorina](https://togithub.com/mcastorina) in [trufflesecurity/trufflehog#2345 - \[feat] - concurently scan the filesystem source by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2364 **Full Changelog**: trufflesecurity/trufflehog@3.67.1...v3.67.1 ### [`v3.67.0`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.67.0) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.66.3...v3.67.0) #### What's Changed - Make AzureDevopsPersonalAccessToken verification more robust by [@​dustin-decker](https://togithub.com/dustin-decker) in [trufflesecurity/trufflehog#2359 - Polite Verification by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2356 **Full Changelog**: trufflesecurity/trufflehog@v3.66.3...v3.67.0 ### [`v3.66.3`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.66.3) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.66.2...v3.66.3) #### What's Changed - Allow for configuring the buffered file writer by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2319 - added flyio protos by [@​lonmarsDev](https://togithub.com/lonmarsDev) in [trufflesecurity/trufflehog#2357 - Scan GitHub wikis by [@​rgmz](https://togithub.com/rgmz) in [trufflesecurity/trufflehog#2233 - \[chore] Add filesystem integration test by [@​mcastorina](https://togithub.com/mcastorina) in [trufflesecurity/trufflehog#2358 - update azure test files to check rawV2 by [@​roxanne-tampus](https://togithub.com/roxanne-tampus) in [trufflesecurity/trufflehog#2353 - \[bug] fix script change by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2360 **Full Changelog**: trufflesecurity/trufflehog@v3.66.2...v3.66.3 ### [`v3.66.2`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.66.2) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.66.1...v3.66.2) #### What's Changed - Update the template detector by [@​rgmz](https://togithub.com/rgmz) in [trufflesecurity/trufflehog#2342 - Detectors Updates 1 for Tristate Verification by [@​0x1](https://togithub.com/0x1) in [trufflesecurity/trufflehog#2187 - Fix filesystem enumeration ignore paths bug by [@​mcastorina](https://togithub.com/mcastorina) in [trufflesecurity/trufflehog#2355 - \[feat] - tmp file diffs by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2306 **Full Changelog**: trufflesecurity/trufflehog@v3.66.1...v3.66.2 ### [`v3.66.1`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.66.1) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.66.0...v3.66.1) #### What's Changed - Azure function key is throwing FPs by [@​dustin-decker](https://togithub.com/dustin-decker) in [trufflesecurity/trufflehog#2352 **Full Changelog**: trufflesecurity/trufflehog@v3.66.0...v3.66.1 ### [`v3.66.0`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.66.0) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.65.0...v3.66.0) #### What's Changed - \[chore] - make sure to close connections after testing by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2343 - Prevent print or logging in detectors by [@​dustin-decker](https://togithub.com/dustin-decker) in [trufflesecurity/trufflehog#2341 - Add the new MaxMind license key format by [@​faktas2](https://togithub.com/faktas2) in [trufflesecurity/trufflehog#2181 - updates to plain and json printing to include verification error by [@​0x1](https://togithub.com/0x1) in [trufflesecurity/trufflehog#2335 - added azurefunctionkey detector by [@​roxanne-tampus](https://togithub.com/roxanne-tampus) in [trufflesecurity/trufflehog#2337 - added azuresearchadminkey detector by [@​roxanne-tampus](https://togithub.com/roxanne-tampus) in [trufflesecurity/trufflehog#2348 - added azuresearchquerykey detector by [@​roxanne-tampus](https://togithub.com/roxanne-tampus) in [trufflesecurity/trufflehog#2349 - Improve fp ignore logic by [@​dustin-decker](https://togithub.com/dustin-decker) in [trufflesecurity/trufflehog#2351 #### New Contributors - [@​faktas2](https://togithub.com/faktas2) made their first contribution in [trufflesecurity/trufflehog#2181 **Full Changelog**: trufflesecurity/trufflehog@v3.65.0...v3.66.0 ### [`v3.65.0`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.65.0) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.64.0...v3.65.0) #### What's Changed - Walk directories in filesystem source enumeration by [@​mcastorina](https://togithub.com/mcastorina) in [trufflesecurity/trufflehog#2313 - added azuredevopspersonalaccesstoken detector by [@​roxanne-tampus](https://togithub.com/roxanne-tampus) in [trufflesecurity/trufflehog#2315 - updating doppler logic by [@​joeleonjr](https://togithub.com/joeleonjr) in [trufflesecurity/trufflehog#2329 - add priority semaphore to source manager by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2336 - Add Google oauth2 token detector by [@​rgmz](https://togithub.com/rgmz) in [trufflesecurity/trufflehog#2274 - Update DockerHub detector logic by [@​rgmz](https://togithub.com/rgmz) in [trufflesecurity/trufflehog#2266 - Improve GitHub scan logging by [@​rgmz](https://togithub.com/rgmz) in [trufflesecurity/trufflehog#2220 - add tri-state verification to yelp by [@​zubairk14](https://togithub.com/zubairk14) in [trufflesecurity/trufflehog#1736 - Fix broken test by [@​dustin-decker](https://togithub.com/dustin-decker) in [trufflesecurity/trufflehog#2339 **Full Changelog**: trufflesecurity/trufflehog@v3.64.0...v3.65.0 ### [`v3.64.0`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.64.0) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.63.11...v3.64.0) #### What's Changed - Add prometheus metrics to measure hook execution time by [@​mcastorina](https://togithub.com/mcastorina) in [trufflesecurity/trufflehog#2312 - updating detector logic for zenscrape by [@​joeleonjr](https://togithub.com/joeleonjr) in [trufflesecurity/trufflehog#2316 - fix for incorrect AWS account number identification by [@​joeleonjr](https://togithub.com/joeleonjr) in [trufflesecurity/trufflehog#2332 - Narrow Postgres detector to only look for URIs by [@​rosecodym](https://togithub.com/rosecodym) in [trufflesecurity/trufflehog#2314 - Update Gitlab repo count in tests by [@​rosecodym](https://togithub.com/rosecodym) in [trufflesecurity/trufflehog#2333 - \[feat] - Replace regexp pkg w/ go-re2 in detectors by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2324 **Full Changelog**: trufflesecurity/trufflehog@v3.63.11...v3.64.0 ### [`v3.63.11`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.63.11) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.63.10...v3.63.11) #### What's Changed - \[fixup] - save 8 bytes per chunk by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2310 - fix(deps): update module github.com/hashicorp/golang-lru to v2 by [@​renovate](https://togithub.com/renovate) in [trufflesecurity/trufflehog#2054 - \[chore] - Update Chunk struct comment by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2317 - fix(deps): update golang.org/x/exp digest to [`1b97071`](https://togithub.com/trufflesecurity/trufflehog/commit/1b97071) by [@​renovate](https://togithub.com/renovate) in [trufflesecurity/trufflehog#2318 - fix(deps): update module github.com/couchbase/gocb/v2 to v2.7.1 by [@​renovate](https://togithub.com/renovate) in [trufflesecurity/trufflehog#2320 - fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v1.0.4 by [@​renovate](https://togithub.com/renovate) in [trufflesecurity/trufflehog#2322 - fix(deps): update module github.com/aws/aws-sdk-go to v1.50.0 by [@​renovate](https://togithub.com/renovate) in [trufflesecurity/trufflehog#2325 - \[chore] - reduce test time by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2321 **Full Changelog**: trufflesecurity/trufflehog@v3.63.10...v3.63.11 ### [`v3.63.10`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.63.10) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.63.9...v3.63.10) #### What's Changed - added azure protos by [@​roxanne-tampus](https://togithub.com/roxanne-tampus) in [trufflesecurity/trufflehog#2304 - \[fixup ] - Allow ssh cloning with AWS Code Commit by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2307 - Assume unauthenticated github scans have public visibility by [@​mcastorina](https://togithub.com/mcastorina) in [trufflesecurity/trufflehog#2308 - \[chore] - Add regex and keyword for api_org tokens by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2240 **Full Changelog**: trufflesecurity/trufflehog@v3.63.9...v3.63.10 ### [`v3.63.9`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.63.9) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.63.8...v3.63.9) #### What's Changed - \[chore] - update docs for pre-commit by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2280 - Ignore common false positives for Parseur Detector by [@​rgmz](https://togithub.com/rgmz) in [trufflesecurity/trufflehog#2229 - Ignore common Signable false positives by [@​rgmz](https://togithub.com/rgmz) in [trufflesecurity/trufflehog#2230 - fix(deps): update golang.org/x/exp digest to [`be819d1`](https://togithub.com/trufflesecurity/trufflehog/commit/be819d1) by [@​renovate](https://togithub.com/renovate) in [trufflesecurity/trufflehog#2281 - \[chore] - update test by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2283 - adding postgres detector by [@​dylanTruffle](https://togithub.com/dylanTruffle) in [trufflesecurity/trufflehog#2108 - fix(deps): update module github.com/azuread/microsoft-authentication-library-for-go to v1.2.1 by [@​renovate](https://togithub.com/renovate) in [trufflesecurity/trufflehog#2282 - fix(deps): update golang.org/x/exp digest to [`0dcbfd6`](https://togithub.com/trufflesecurity/trufflehog/commit/0dcbfd6) by [@​renovate](https://togithub.com/renovate) in [trufflesecurity/trufflehog#2284 - fix(deps): update module github.com/gabriel-vasile/mimetype to v1.4.3 by [@​renovate](https://togithub.com/renovate) in [trufflesecurity/trufflehog#2285 - Extend memory cache by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2275 - fix(deps): update module github.com/mattn/go-sqlite3 to v1.14.19 by [@​renovate](https://togithub.com/renovate) in [trufflesecurity/trufflehog#2286 - chore(deps): update alpine docker tag to v3.19 by [@​renovate](https://togithub.com/renovate) in [trufflesecurity/trufflehog#2287 - chore(deps): update sigstore/cosign-installer action to v3.3.0 by [@​renovate](https://togithub.com/renovate) in [trufflesecurity/trufflehog#2290 - fix(deps): update module cloud.google.com/go/storage to v1.36.0 by [@​renovate](https://togithub.com/renovate) in [trufflesecurity/trufflehog#2291 - fix(deps): update module github.com/aws/aws-sdk-go to v1.49.18 by [@​renovate](https://togithub.com/renovate) in [trufflesecurity/trufflehog#2292 - feat(installation): Implement checksum signature verification by [@​hibare](https://togithub.com/hibare) in [trufflesecurity/trufflehog#2157 - fix(deps): update module github.com/aws/aws-sdk-go to v1.49.19 by [@​renovate](https://togithub.com/renovate) in [trufflesecurity/trufflehog#2294 - fix(deps): update module github.com/bradleyfalzon/ghinstallation/v2 to v2.9.0 by [@​renovate](https://togithub.com/renovate) in [trufflesecurity/trufflehog#2295 - \[chore] - small updates by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2288 - \[feat] - Allow for the use of include/exclude path files for filesystem scans by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2297 - Individuate archive tests by [@​rosecodym](https://togithub.com/rosecodym) in [trufflesecurity/trufflehog#2293 - \[feat] - Provide CLI flag to only use custom verifiers by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2299 - Disable postgres detector because it it too sensitive by [@​dustin-decker](https://togithub.com/dustin-decker) in [trufflesecurity/trufflehog#2303 **Full Changelog**: trufflesecurity/trufflehog@v3.63.8...v3.63.9 ### [`v3.63.8`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.63.8) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.63.7...v3.63.8) #### What's Changed - Fix commit message single quote escaping on GitHub Action by [@​0x2b3bfa0](https://togithub.com/0x2b3bfa0) in [trufflesecurity/trufflehog#2259 - fix(deps): update module github.com/go-git/go-git/v5 to v5.11.0 \[security] by [@​renovate](https://togithub.com/renovate) in [trufflesecurity/trufflehog#2263 - Fix non-ASCII whitespace on GitHub Action by [@​0x2b3bfa0](https://togithub.com/0x2b3bfa0) in [trufflesecurity/trufflehog#2270 - Update GitParse logic to handle edge case. by [@​rgmz](https://togithub.com/rgmz) in [trufflesecurity/trufflehog#2206 - \[chore] Add test to check all versioned detectors are non-zero by [@​mcastorina](https://togithub.com/mcastorina) in [trufflesecurity/trufflehog#2272 - Update stripe detector regex by [@​NikhilPanwar](https://togithub.com/NikhilPanwar) in [trufflesecurity/trufflehog#2261 - Update to Sourcegraph Access token format by [@​shivasurya](https://togithub.com/shivasurya) in [trufflesecurity/trufflehog#2254 - Bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 by [@​dependabot](https://togithub.com/dependabot) in [trufflesecurity/trufflehog#2278 - Bump github.com/dvsekhvalnov/jose2go from 1.5.0 to 1.6.0 by [@​dependabot](https://togithub.com/dependabot) in [trufflesecurity/trufflehog#2279 - Wrap temp deletion err by [@​rosecodym](https://togithub.com/rosecodym) in [trufflesecurity/trufflehog#2277 - 1833 Fix syslog udp by [@​df3rry](https://togithub.com/df3rry) in [trufflesecurity/trufflehog#1835 #### New Contributors - [@​0x2b3bfa0](https://togithub.com/0x2b3bfa0) made their first contribution in [trufflesecurity/trufflehog#2259 - [@​NikhilPanwar](https://togithub.com/NikhilPanwar) made their first contribution in [trufflesecurity/trufflehog#2261 - [@​df3rry](https://togithub.com/df3rry) made their first contribution in [trufflesecurity/trufflehog#1835 **Full Changelog**: trufflesecurity/trufflehog@v3.63.7...v3.63.8 ### [`v3.63.7`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.63.7) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.63.6...v3.63.7) #### What's Changed - Add skip archive support by [@​dustin-decker](https://togithub.com/dustin-decker) in [trufflesecurity/trufflehog#2257 - Skip all binaries by [@​bill-rich](https://togithub.com/bill-rich) in [trufflesecurity/trufflehog#2256 - Add handlerOpts back by [@​bill-rich](https://togithub.com/bill-rich) in [trufflesecurity/trufflehog#2258 - Use directory iterator instead of walkdir by [@​dustin-decker](https://togithub.com/dustin-decker) in [trufflesecurity/trufflehog#2260 **Full Changelog**: trufflesecurity/trufflehog@v3.63.6...v3.63.7 ### [`v3.63.6`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.63.6) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.63.5...v3.63.6) #### What's Changed - Adds basic if/else check if pid slice is empty by [@​codevbus](https://togithub.com/codevbus) in [trufflesecurity/trufflehog#2244 - \[fixup] - move cleanup to run by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2245 - shallow cloning + GitHub Action by [@​joeleonjr](https://togithub.com/joeleonjr) in [trufflesecurity/trufflehog#2138 - Update GitHub extradata by [@​rgmz](https://togithub.com/rgmz) in [trufflesecurity/trufflehog#2219 - Avoid extraneous authentication attempts when verifying Snowflake by [@​rgmz](https://togithub.com/rgmz) in [trufflesecurity/trufflehog#2057 - Add missing import by [@​dustin-decker](https://togithub.com/dustin-decker) in [trufflesecurity/trufflehog#2246 - \[bug] - Bug archive handler memory leak by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2247 - \[chore] - use snake_case for naming by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2238 - \[chore] - add additional binary extensions to skip by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2235 - \[chore] - lower logging level by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2249 - \[bug] - Fix Context Timeout-Induced Goroutine Leak in readInChunks by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2251 - Dedupe some source log keys by [@​rosecodym](https://togithub.com/rosecodym) in [trufflesecurity/trufflehog#2250 - \[fixup] - Refactor to Pass Reader for Binary Diffs and Archived Data; Optimize /tmp Directory Cleanup by [@​ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2253 - Use walkdir for tmp cleanup by [@​dustin-decker](https://togithub.com/dustin-decker) in [trufflesecurity/trufflehog#2255 **Full Changelog**: trufflesecurity/trufflehog@v3.63.5...v3.63.6 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/matter-labs/vault-auth-tee). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
Description:
This proposed GitHub Action updates the existing action by implementing a few new features:
actions/checkout@v3
action). Why? Two reasons: (A) user experience: users can now invoke this action in their GH workflow yaml files without any additional steps(B) Git shallow cloning requires a few computations (ex: count of commits in the push or PR). This is simpler for the user; otherwise, they'd have to follow a slightly convoluted set-up process.
3. The current action does not provide a sufficiently robust process to scan pushes to the default branch. In some workflows, engineers might push multiple commits inside one push to
main
. Given the current action's tutorial, I couldn't easily scan a push tomain
containing multiple commits. (Maybe just my user error though):It appears that in order to scan a push with multiple commits, the user would need to provide the commit hash prior to the new commits into the
base
argument. There doesn't seem to be a straightforward way to do that in the current action.The updated action will do this by default.
full_repo
flag (conducting a full git clone). This is for users that want to scan more than just the code diff in their push or PR.path
,base
andhead
, which seem to confuse some users.Note: To prevent backwards compatibility issues, I propose we tag the original action
v1
(it's currentlymain
). Then we tag the new actionv2
. Users will still be able to usev1
with an always-updated version of TH OSS, since we invoke thelatest
docker image.Comments and discussion are welcomed!! Also, I did my best to test this out, but it would be helpful for others to run this action inside larger repositories (alongside the existing action).
Checklist:
make test-community
)?make lint
this requires golangci-lint)?