Fix supply chain security vulnerability in TruffleHog installation

isaiah-grafana · isaiah-grafana · commit 75c995fb8ff7 · 2025-10-01T00:36:26.000-05:00
- Replace unpinned install script with direct binary download from GitHub releases
- Eliminates risk of mutable main branch script being compromised
- Downloads specific versioned binary directly from trusted GitHub releases
- More secure and deterministic installation process
- Addresses supply chain security best practices
diff --git a/.github/workflows/reusable-trufflehog.yml b/.github/workflows/reusable-trufflehog.yml
@@ -41,8 +41,14 @@ jobs:
 
       - name: Install TruffleHog
         run: |
-          curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh \
-            | sh -s -- -b /usr/local/bin "v${{ env.TRUFFLEHOG_VERSION }}"
+          # Download binary directly from GitHub releases for supply chain security
+          VERSION="v${{ env.TRUFFLEHOG_VERSION }}"
+          ARCH="linux_amd64"
+          BINARY_URL="https://github.com/trufflesecurity/trufflehog/releases/download/${VERSION}/trufflehog_${VERSION#v}_${ARCH}.tar.gz"
+
+          curl -sSfL "${BINARY_URL}" | tar -xz -C /tmp
+          sudo mv /tmp/trufflehog /usr/local/bin/trufflehog
+          sudo chmod +x /usr/local/bin/trufflehog
           trufflehog --version
 
       - name: Scan for secrets
