Removing hardcoded options in GHA docker run and providing output configuration

kellydunn · kellydunn · commit c00a72c7aa6f · 2025-06-09T12:06:50.000-07:00
outputting results

outputting results

outputting results

outputting results

outputting results

outputting results

outputting results

Attempting to mount github workspace for commit scans

Adding back in hardcoded options, but electing to use GHA vars

Adding in explicit no_fail input and check
diff --git a/action.yml b/action.yml
@@ -14,6 +14,10 @@ inputs:
   head:
     description: Scan commits until here (usually dev branch).
     required: false
+  no_fail:
+    description: When set, trufflehog does not exit with a 183 code when a credential is found.
+    required: false
+    default: ''
   extra_args:
     default: ""
     description: Extra args to be passed to the trufflehog cli.
@@ -22,6 +26,10 @@ inputs:
     default: "latest"
     description: Scan with this trufflehog cli version.
     required: false
+outputs:
+  results:
+    description: "Trufflehog scan outputs"
+    value: ${{ steps.trufflehog.outputs.results }}
 branding:
   icon: "shield"
   color: "green"
@@ -30,6 +38,7 @@ runs:
   using: "composite"
   steps:
     - shell: bash
+      id: trufflehog
       working-directory: ${{ inputs.path }}
       env:
         BASE: ${{ inputs.base }}
@@ -90,17 +99,27 @@ runs:
             HEAD=${{github.event.pull_request.head.sha}}
           fi
         fi
-        ##########################################
-        ##          Run TruffleHog              ##
-        ##########################################
-        docker run --rm -v .:/tmp -w /tmp \
-        ghcr.io/trufflesecurity/trufflehog:${VERSION} \
-        git file:///tmp/ \
-        --since-commit \
-        ${BASE:-''} \
-        --branch \
-        ${HEAD:-''} \
-        --fail \
-        --no-update \
-        --github-actions \
-        ${ARGS:-''}
+      fi
+      ##########################################
+      ##      Determine additional args       ##
+      ##########################################
+      if [ -n "$NO_FAIL" ]; then
+        FAIL=""
+      else
+        FAIL="--fail"
+      fi
+      ##########################################
+      ##          Run TruffleHog              ##
+      ##########################################
+      results=$(docker run --rm -v ${{ github.workspace }}:/tmp -w /tmp \
+      ghcr.io/trufflesecurity/trufflehog:${VERSION} \
+      git file:///tmp/ \
+      --since-commit \
+      ${BASE:-''} \
+      --branch \
+      ${HEAD:-''} \
+      ${FAIL} \
+      --no-update \
+      --github-actions \
+      ${ARGS:-''})
+      echo "results='$(echo $results)'" >> $GITHUB_OUTPUT
