2828 required : false
2929 default : " "
3030 type : string
31- verify-secrets :
32- description : " Enable secret verification against real APIs (may trigger rate limits)"
33- required : false
34- default : " true"
35- type : string
3631 runs-on :
3732 description : " The runner to use for the job"
3833 required : false
7873 | sh -s -- -b /usr/local/bin "${{ steps.version.outputs.version }}"
7974 trufflehog --version
8075
81- name : Check test files for debugging
82- run : |
83- echo "=== Debugging: Check if test file exists ==="
84- ls -la test-secrets.txt || echo "test-secrets.txt not found"
85- echo "=== File content sample ==="
86- head -10 test-secrets.txt || echo "Cannot read test-secrets.txt"
8776
8877name : Identify changed files in pull request for targeted scanning
8978 id : changed-files
@@ -108,25 +97,14 @@ jobs:
10897 # Initialize result files
10998 echo "[]" > all-results.json
11099
111- # TruffleHog optimizations applied:
112- # --results=verified,unverified (include both verified and custom detector results)
113- # --filter-unverified (only first unverified per chunk to reduce duplicates)
114- # --filter-entropy=3.0 (filter low-entropy noise)
115- # --max-depth=10 (limit git history)
116- # --exclude-globs (skip common noise files)
117- echo "TruffleHog optimized scan starting (includes custom detector results)..."
100+ echo "Starting TruffleHog scan..."
118101
119102 # Full repository scanning
120103 if [[ "${SCAN_SCOPE}" == "full-repo" || "${SCAN_SCOPE}" == "both" ]]; then
121104 echo "Running full repository scan..."
122105
123106 if [[ "${SCAN_TYPE}" == "commits" || "${SCAN_TYPE}" == "both" ]]; then
124107 echo "Scanning git commit history..."
125- echo "=== TruffleHog command ==="
126- echo "trufflehog git file://. --json --no-update (built-in detectors only)"
127-
128- # Scan with built-in detectors only
129- echo "=== Scanning with built-in detectors ==="
130108 trufflehog git file://. \
131109 --json \
132110 --no-update \
@@ -136,27 +114,17 @@ jobs:
136114 --max-depth=10 \
137115 --exclude-globs="*.lock,*.sum,node_modules/**,*.git/**" \
138116 > commit-results.json || true
139-
140- echo "=== Raw results ==="
141- head -20 commit-results.json || echo "No results file"
142- echo "=== Results file size ==="
143- wc -l commit-results.json || echo "No results file"
144117 fi
145118
146119 if [[ "${SCAN_TYPE}" == "filesystem" || "${SCAN_TYPE}" == "both" ]]; then
147120 echo "Scanning current filesystem..."
148- echo "=== Filesystem scan command ==="
149- echo "trufflehog filesystem . --json --no-update --results=verified,unverified --filter-unverified (built-in detectors)"
150121 trufflehog filesystem . \
151122 --json \
152123 --no-update \
153124 --results=verified,unverified \
154125 --filter-unverified \
155126 --filter-entropy=3.0 \
156127 > fs-results.json || true
157- echo "=== Filesystem scan results ==="
158- wc -l fs-results.json || echo "No filesystem results"
159- head -5 fs-results.json || echo "No filesystem content"
160128 fi
161129 fi
162130
@@ -186,12 +154,10 @@ jobs:
186154 fi
187155 fi
188156
189- # Merge all results - TruffleHog outputs newline-delimited JSON (NDJSON)
190- echo "Merging scan results..."
191- touch all-results.ndjson # Create empty file
157+ # Merge all results
158+ touch all-results.ndjson
192159 for f in commit-results.json fs-results.json changed-files-results.json; do
193160 if [[ -s "${f}" ]]; then
194- echo "Merging results from ${f}"
195161 cat "${f}" >> all-results.ndjson
196162 fi
197163 done
0 commit comments