Return non-zero exit code if an error occurs during a scan. #4476
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
With its original code, Trufflehog was returning a zero exit code in cases when an error was encountered during a scan. This led to some unexpected situations, such as succeeding if a git repo was not cloned correctly or if a non-existent commit was referenced from `--since-commit`. This PR proposes adding a new flag `--fail-on-scan-errors` that, if enabled, will propagate scan errors further (alongside with the current behavior of reporting them on console), ensuring that Trufflehog returns a non-zero exit code. The change should be fairly safe, as it is hidden behind a flag and if not activated, the original behavior is retained. See also: trufflesecurity#4218 Signed-off-by: Milan Plzik <[email protected]>
|
|
Contributor
Author
|
@rosecodym happy to help. Also, I was being fairly conservative with adding the change behind a flag -- since a fair amount of users might have this failing silently, it might be worth to gradually roll this out as an enabled-by-default flag (e.g. slowly add a warning about not using the flag, then make the flag enabled by default; then remove the option altogether, if it makes sense). This is a choice that lies on the Trufflehog maintainers, though. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
With its original code, Trufflehog was returning a zero exit code in
cases when an error was encountered during a scan. This led to some
unexpected situations, such as succeeding if a git repo was not cloned
correctly or if a non-existent commit was referenced from
--since-commit.This PR proposes adding a new flag
--fail-on-scan-errorsthat, ifenabled, will propagate scan errors further (alongside with the current
behavior of reporting them on console), ensuring that Trufflehog returns
a non-zero exit code.
The change should be fairly safe, as it is hidden behind a flag and if
not activated, the original behavior is retained.
See also: #4218
Signed-off-by: Milan Plzik [email protected]
Checklist:
make test-community)?make lintthis requires golangci-lint)?