Additional flags to ensure Trufflehog fails the check

Pass failure exit code on found secrets, and also ignore the update check. Signed-off-by: Eric Searcy <[email protected]>
linuxfoundation · Feb 7, 2025 · 2eda209 · 2eda209
1 parent b0d8107
commit 2eda209
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml
@@ -33,5 +33,7 @@ jobs:
         run: |
           curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh \
             | sh -s -- -b /usr/local/bin
-      - run: |
-          trufflehog --github-actions filesystem "${RUNNER_TEMP}/image.tar"
+      - name: Run trufflehog on image.tar
+        run: |
+          trufflehog --fail --no-update --github-actions \
+            filesystem "${RUNNER_TEMP}/image.tar"