feat: allow changing Docker image for scan job

krzysztof-clari · krzysztof-clari · commit d5db5f8b40ac · 2025-06-17T19:14:27.000+02:00
Allows changing Docker image used for the scan job, this is useful if
the Docker images should be pulled from a different place than the
GitHub Container Registry. Such situations usually occur with air-gapped
systems or places where Docker registry access is restricted.
diff --git a/README.md b/README.md
@@ -612,6 +612,8 @@ TruffleHog statically detects [https://canarytokens.org/](https://canarytokens.o
     base:
     # Scan commits until here (usually dev branch).
     head: # optional
+    # Docker image to use for scanning, defaults to ghcr.io/trufflesecurity/trufflehog.
+    image: # optional
     # Extra args to be passed to the trufflehog cli.
     extra_args: --log-level=2 --results=verified,unknown
 ```
@@ -672,7 +674,7 @@ TruffleHog will send a JSON POST request containing the regex matches to a
 configured webhook endpoint. If the endpoint responds with a `200 OK` response
 status code, the secret is considered verified.
 
-Custom Detectors support a few different filtering mechanisms: entropy, regex targeting the entire match, regex targeting the captured secret, 
+Custom Detectors support a few different filtering mechanisms: entropy, regex targeting the entire match, regex targeting the captured secret,
 and excluded word lists checked against the secret (captured group if present, entire match if capture group is not present). Note that if
 your custom detector has multiple `regex` set (in this example `hogID`, and `hogToken`), then the filters get applied to each regex. [Here](examples/generic_with_filters.yml) is an example of a custom detector using these filters.
 
diff --git a/action.yml b/action.yml
@@ -18,6 +18,10 @@ inputs:
     default: ""
     description: Extra args to be passed to the trufflehog cli.
     required: false
+  image:
+    default: "ghcr.io/trufflesecurity/trufflehog"
+    description: Docker image to use for scanning.
+    required: false
   version:
     default: "latest"
     description: Scan with this trufflehog cli version.
@@ -36,6 +40,7 @@ runs:
         HEAD: ${{ inputs.head }}
         ARGS: ${{ inputs.extra_args }}
         COMMIT_IDS: ${{ toJson(github.event.commits.*.id) }}
+        IMAGE: ${{ inputs.image }}
         VERSION: ${{ inputs.version }}
       run: |
         ##########################################
@@ -94,7 +99,7 @@ runs:
         ##          Run TruffleHog              ##
         ##########################################
         docker run --rm -v .:/tmp -w /tmp \
-        ghcr.io/trufflesecurity/trufflehog:${VERSION} \
+        "${IMAGE}:${VERSION}" \
         git file:///tmp/ \
         --since-commit \
         ${BASE:-''} \
