Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trufflehog as a GitHub Action fails at .git/config #3046

Open
wesley-dean-flexion opened this issue Oct 27, 2023 · 5 comments
Open

Trufflehog as a GitHub Action fails at .git/config #3046

wesley-dean-flexion opened this issue Oct 27, 2023 · 5 comments
Labels
bug Something isn't working

Comments

@wesley-dean-flexion
Copy link
Contributor

Describe the bug

This is a continuation of #2834 .

I'm running MegaLinter v7.4.0 (Python flavor) as a GitHub Action. When it runs, it finds .git/config (which isn't in the repository as it's created in a previous step (probably actions/checkout@v4)), potentially in conjunction with the inclusion of a PAT environment variable (so applied fixes can be pushed back). While the finding is "correct," it's a result of the expected workflow.

Here's some sample output:

✅ Linted [REPOSITORY] files with [trufflehog]: Found 1 non blocking error(s) - (4.4s) (expand for details)
  - Using [trufflehog v3.60.4] https://megalinter.io/7.3.0/descriptors/repository_trufflehog
  - MegaLinter key: [REPOSITORY_TRUFFLEHOG]
  - Rules config: identified by [trufflehog]
  --Error detail:
  🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷
  
  Found verified result 🐷🔑
  Detector Type: Github
  Decoder Type: BASE64
  Raw result: ***
  Site_admin: false
  Name: ***
  Company: 
  Rotation_guide: https://howtorotate.com/docs/tutorials/github/
  Username: ***
  Url: ***
  Account_type: User
  File: .git/config
  Line: 11

What's interesting here is that the result was verified, so the --only-verified flag mentioned as a workaround wasn't... working around.

The --exclude-paths flag to Trufflehog accepts a filename that contains a list of paths to ignore -- one can't just tell it to exclude .git . Using --exclude-paths=.gitignore doesn't work in our particular situation on account of our .gitignore containing some fun fileglobbing that --exclude-paths doesn't understand.

I was able to workaround by creating a separate file, .trufflehogignore and adding .git/ to it, then telling Trufflehog to ignore paths from that file. From the project's .mega-linter.yml:

REPOSITORY_TRUFFLEHOG_ARGUMENTS: "--exclude-paths=.trufflehogignore"

To Reproduce
Steps to reproduce the behavior:

  1. Invoke Megalinter via GitHub Action
  2. Include a step that results in the creation of a .git/ directory
  3. Run Megalinter on a commit
  4. See error

Expected behavior

Trufflehog, run through Megalinter, should not throw a non-blocking error solely as a consequence of using a checkout action (which creates the file that's being matched)

Here's the result of running Megalinter with the applied workaround:

✅ Linted [REPOSITORY] files with [trufflehog] successfully - (3.62s) (expand for details)
  - Using [trufflehog v3.60.4] https://megalinter.io/7.4.0/descriptors/repository_trufflehog
  - MegaLinter key: [REPOSITORY_TRUFFLEHOG]
  - Rules config: identified by [trufflehog]
@wesley-dean-flexion wesley-dean-flexion added the bug Something isn't working label Oct 27, 2023
@wesley-dean-flexion
Copy link
Contributor Author

wesley-dean-flexion commented Oct 27, 2023
edited
Loading

Pedantically speaking, I don't know if this is a Megalinter bug. We could script around it (e.g., create a file at runtime that tells Trufflehog to ignore .git and pass that file along to Trufflehog), doing so could be problematic for other uses where there may be other --exclude-paths options passed along. That is, I don't know if Trufflehog will respect the inclusion of multiple files or if it'll fail with an error (like it does with --skip-unverified).

Therefore, my hope is that should someone else stumble upon this issue and search the list of Megalinter issues, they may find this and it may help them work around the issue with less trial and error.

Feel free to close this out as-needed.

@wesley-dean-flexion wesley-dean-flexion mentioned this issue Oct 27, 2023
Closed
@github-actions GitHub Actions
Copy link
Contributor

This issue has been automatically marked as stale because it has not had recent activity.
It will be closed in 14 days if no further activity occurs.
Thank you for your contributions.

If you think this issue should stay open, please remove the O: stale 🤖 label or comment on the issue.

@github-actions github-actions bot added the O: stale 🤖 This issue or pull request is stale, it will be closed if there is no activity label Nov 27, 2023
@pjungermann
Copy link
Contributor

We did the same change with the same naming, ignoring .git/ as well.

@github-actions github-actions bot removed the O: stale 🤖 This issue or pull request is stale, it will be closed if there is no activity label Feb 14, 2025
@github-actions GitHub Actions
Copy link
Contributor

This issue has been automatically marked as stale because it has not had recent activity.
It will be closed in 14 days if no further activity occurs.
Thank you for your contributions.

If you think this issue should stay open, please remove the O: stale 🤖 label or comment on the issue.

@github-actions github-actions bot added the O: stale 🤖 This issue or pull request is stale, it will be closed if there is no activity label Mar 16, 2025
@nvuillam
Copy link
Member

I think that indeed the best way is for ML users to ignore themselves what's in .git

@github-actions github-actions bot removed the O: stale 🤖 This issue or pull request is stale, it will be closed if there is no activity label Mar 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pjungermann @nvuillam @wesley-dean-flexion