Merge pull request #42 from rudderlabs/revert-39-skip-trufflehog

Revert "chore: add ability to not fail the build if secrets are found"

Author: gabrielbiasi

action.yml

@@ -51,10 +51,6 @@ inputs:
   target:
     description: "Set the target build stage to build"
     required: false
-  fail-on-secrets-found:
-    description: "Fail the build if secrets are found in the image."
-    required: false
-    default: true
   snyk-enabled:
     description: "Enable Snyk scan step. Set to true to run Snyk scan."
     required: false
@@ -147,8 +143,6 @@ runs:
 
     - name: Scan docker image with TruffleHog
       id: scan-docker-image
-      env:
-        FAIL_ON_SECRETS_FOUND: ${{ inputs.fail-on-secrets-found }}
       shell: bash
       run: |
         python $GITHUB_ACTION_PATH/docker-image-scanner.py --image ${{ runner.temp }}/local-docker-image.tar

docker-image-scanner.py

@@ -7,8 +7,6 @@
 
 from typing import List, Dict
 
-FAIL_ON_SECRETS_FOUND = os.getenv("FAIL_ON_SECRETS_FOUND", "false").lower() == "true"
-
 
 def format_image_path(image_path: str) -> str:
     """Format the image path to use file:/// prefix with absolute path."""
@@ -113,15 +111,10 @@ def main():
             print(
                 f"Found unverified secret {redacted_secret} in file={file} layer={layer}"
             )
-
-        # If secrets are found and FAIL_ON_SECRETS_FOUND is true, exit with error
-        print("Secrets found in the image! 🚨")
-        sys.exit(1 if FAIL_ON_SECRETS_FOUND else 0)
+        sys.exit(1)
     else:
-        print("No secrets found in the image! 🚀")
         sys.exit(0)
 
 
 if __name__ == "__main__":
-    print(f"Should fail on secrets found? {FAIL_ON_SECRETS_FOUND}")
     main()