require-trufflehog-verified-results-mode
Rule catalog ID: R108
Targeted pattern scopeโ
Workflow steps that use the TruffleHog GitHub Action.
What this rule reportsโ
This rule reports TruffleHog steps that do not configure extra_args to include --results=verified.
Why this rule existsโ
Verified-results mode reduces noise by failing only on findings that the scanner can verify more confidently.
โ Incorrectโ
- uses: trufflesecurity/trufflehog@v3
โ Correctโ
- uses: trufflesecurity/trufflehog@v3
with:
extra_args: --results=verified
Additional examplesโ
This rule still allows additional TruffleHog flags as long as the verified-results mode is present.
ESLint flat config exampleโ
import githubActions from "eslint-plugin-github-actions-2";
export default [githubActions.configs.security];
When not to use itโ
Disable this rule if your repository intentionally wants broader TruffleHog results despite the extra noise.