Skip to content

Pr/trufflehog scan #1238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 19 commits into
base: main
Choose a base branch
from
Draft

Pr/trufflehog scan #1238

wants to merge 19 commits into from

Conversation

isaiah-grafana
Copy link

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 14, 2025
View reviewed changes
.github/workflows/reusable-trufflehog.yml
Comment on lines +21 to +22
- name: Checkout code
uses: actions/checkout@v4

Check warning

Code scanning / zizmor

credential persistence through GitHub Actions artifacts Warning

credential persistence through GitHub Actions artifacts
.github/workflows/reusable-trufflehog.yml
--results=verified,unknown \
--fail \
--exclude-paths=.git,.github,node_modules,venv,env \
${{ inputs.extra_args }} \

Check failure

Code scanning / zizmor

code injection via template expansion Error

code injection via template expansion
@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@github-actions GitHub Actions
Copy link
Contributor

😢 zizmor failed with exit code 14.

Expand for full output 
warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/reusable-trufflehog.yml:21:9
   |
21 |         - name: Checkout code
   |  _________-
22 | |         uses: actions/checkout@v4
   | |_________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/reusable-trufflehog.yml:42:17
   |
35 |         run: |
   |         ^^^ this run block
36 |           trufflehog filesystem . \
...
41 |             --exclude-paths=.git,.github,node_modules,venv,env \
42 |             ${{ inputs.extra_args }} \
   |                 ^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

64 findings (12 ignored, 50 suppressed, 2 fixable): 0 unknown, 0 informational, 0 low, 1 medium, 1 high

@github-actions GitHub Actions

This comment has been minimized.

Sign in to view
@github-actions GitHub Actions
Copy link
Contributor

😢 zizmor failed with exit code 14.

Expand for full output 
warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/reusable-trufflehog.yml:21:9
   |
21 |         - name: Checkout code
   |  _________-
22 | |         uses: actions/checkout@v4
   | |_________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/reusable-trufflehog.yml:42:17
   |
35 |         run: |
   |         ^^^ this run block
36 |           trufflehog filesystem . \
...
41 |             --exclude-paths=.git,.github,node_modules,venv,env \
42 |             ${{ inputs.extra_args }} \
   |                 ^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

65 findings (12 ignored, 51 suppressed, 2 fixable): 0 unknown, 0 informational, 0 low, 1 medium, 1 high

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@isaiah-grafana @CLAassistant