fix: trufflehog

mfranzke · web-flow · commit b238631fabb4 · 2025-08-06T06:53:56.000+02:00
diff --git a/.github/workflows/00-scan-secrets.yml b/.github/workflows/00-scan-secrets.yml
@@ -20,13 +20,16 @@ jobs:
         uses: ./.github/actions/extract-branch
         id: extract_branch
 
+      # https://github.com/marketplace/actions/trufflehog-oss#advanced-usage-scan-entire-branch
       - name: 🐷 TruffleHog OSS
         uses: trufflesecurity/trufflehog@main
         if: ${{ github.event.pull_request != null }} # only scan on pull-requests
         with:
-          path: ./
-          base: ${{ steps.extract_branch.outputs.branch-name }}
-          head: HEAD
+          # Setting base to an empty string scans the entire branch, per TruffleHog OSS advanced usage:
+          # https://github.com/marketplace/actions/trufflehog-oss#advanced-usage-scan-entire-branch
+          base: ""
+          head: ${{ github.ref_name }}
+          extra_args: --results=verified,unknown
 
       - name: 💀 Killing me softly
         uses: ./.github/actions/cancel-workflow
