Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The --only-verified option is ignored #2580

Closed
wandering-tales opened this issue Mar 15, 2024 · 3 comments · Fixed by #2582
Closed

The --only-verified option is ignored #2580

wandering-tales opened this issue Mar 15, 2024 · 3 comments · Fixed by #2582
Labels
bug

Comments

@wandering-tales
Copy link

I think #2372 change might have broken something.

The default command line arguments for trufflehog in Megalinter explicitly use the --only-verified option to avoid false positive on the .git/config file (as per oxsecurity/megalinter#2838).

Today I have stumbled upon a false positive on exactly that .git/config file and, as it is visible from the GHA log in the gist linked below, that is an unverified result which should have been excluded by that option.

Besides, this failure started to occur suddenly, even though the pinned version of trufflehog in Megalinter is 3.69.0. After some digging I have discovered the cause is the fact that trufflehog seems to auto-update itself when run. I have addressed that in oxsecurity/megalinter#3430 by explicitly adding the --no-update option.

TruffleHog Version

Version is 3.70.0, as it may be visible in the GitHub Actions log excerpt linked in the gist below.

Trace Output

https://gist.github.com/wandering-tales/51311d13eccf03a3b27388069dbcd0a4

Expected Behavior

The --only-verified option should have filtered out unverified results

Actual Behavior

An unverified result was included in the final report causing the command to fail.

Steps to Reproduce

I cannot reproduce it locally. It looks like a false positive occurring solely in GitHub Action CI environments.

Environment

  • GHA / Megalinter action
@jasonhills-drata
Copy link

It appears that --only-verified was completely removed from the code in 3.70.0, which was not the intent of #2372 per comments.

@arshadkazmi42
Copy link

As per the PR, new flag is --results=verified but that also does not seems to be working.

This was referenced Mar 16, 2024
Closed
Merged
@nvuillam
Copy link

Same issue detected here, I had to disable trufflehog :/

nvuillam added a commit to nvuillam/node-sarif-builder that referenced this issue Mar 16, 2024
@nvuillam
Temporary disable trufflehog
57f14f4 
Related to trufflesecurity/trufflehog#2580
nvuillam added a commit to nvuillam/node-sarif-builder that referenced this issue Mar 16, 2024
@nvuillam
Temporary disable trufflehog
239f169 
Related to trufflesecurity/trufflehog#2580
@nvuillam nvuillam mentioned this issue Mar 16, 2024
Merged
nvuillam added a commit to nvuillam/node-sarif-builder that referenced this issue Mar 16, 2024
@nvuillam
Temporary disable trufflehog
debf7f1 
Related to trufflesecurity/trufflehog#2580
nvuillam added a commit to nvuillam/node-sarif-builder that referenced this issue Mar 16, 2024
@nvuillam
Temporary disable trufflehog (#60)
0d1b2ea 
* Temporary disable trufflehog

Related to trufflesecurity/trufflehog#2580

* [MegaLinter] Apply linters fixes

---------

Co-authored-by: Nicolas Vuillamy <nicolas.vuillamy@cloudity.com>
Co-authored-by: nvuillam <nvuillam@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix --results not behaving as expected. rgmz/trufflehog
4 participants
@arshadkazmi42 @nvuillam @wandering-tales @jasonhills-drata