From 1823d0bf79976b76021ff9c2cd03434f2cd00a28 Mon Sep 17 00:00:00 2001 From: Milan Plzik Date: Thu, 25 Sep 2025 14:15:46 +0200 Subject: [PATCH] Return non-zero exit code if an error occurs during a scan. With its original code, Trufflehog was returning a zero exit code in cases when an error was encountered during a scan. This led to some unexpected situations, such as succeeding if a git repo was not cloned correctly or if a non-existent commit was referenced from `--since-commit`. This PR proposes adding a new flag `--fail-on-scan-errors` that, if enabled, will propagate scan errors further (alongside with the current behavior of reporting them on console), ensuring that Trufflehog returns a non-zero exit code. The change should be fairly safe, as it is hidden behind a flag and if not activated, the original behavior is retained. See also: https://github.com/trufflesecurity/trufflehog/issues/4218 Signed-off-by: Milan Plzik --- main.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/main.go b/main.go index cbb263bd275a..69a1d3717e60 100644 --- a/main.go +++ b/main.go @@ -72,6 +72,7 @@ var ( printAvgDetectorTime = cli.Flag("print-avg-detector-time", "Print the average time spent on each detector.").Bool() noUpdate = cli.Flag("no-update", "Don't check for updates.").Bool() fail = cli.Flag("fail", "Exit with code 183 if results are found.").Bool() + failOnScanErrors = cli.Flag("fail-on-scan-errors", "Exit with non-zero error code if an error occurs during the scan.").Bool() verifiers = cli.Flag("verifier", "Set custom verification endpoints.").StringMap() customVerifiersOnly = cli.Flag("custom-verifiers-only", "Only use custom verification endpoints.").Bool() detectorTimeout = cli.Flag("detector-timeout", "Maximum time to spend scanning chunks per detector (e.g., 30s).").Duration() @@ -1081,8 +1082,12 @@ func runSingleScan(ctx context.Context, cmd string, cfg engine.Config) (metrics, } // Print any non-fatal errors reported during the scan. + var retErr error for _, ref := range refs { if errs := ref.Snapshot().Errors; len(errs) > 0 { + if *failOnScanErrors { + retErr = fmt.Errorf("encountered errors during scan") + } errMsgs := make([]string, len(errs)) for i := 0; i < len(errs); i++ { errMsgs[i] = errs[i].Error() @@ -1099,7 +1104,7 @@ func runSingleScan(ctx context.Context, cmd string, cfg engine.Config) (metrics, printAverageDetectorTime(eng) } - return metrics{Metrics: eng.GetMetrics(), hasFoundResults: eng.HasFoundResults()}, nil + return metrics{Metrics: eng.GetMetrics(), hasFoundResults: eng.HasFoundResults()}, retErr } // parseResults ensures that users provide valid CSV input to `--results`.