trufflehog catalog hook scans gitignored target/ in Rust consumers, blocks every commit #287

Closed
opened 2026-06-25 11:23:01 +00:00 by coilysiren · 1 comment
Owner

Problem

The catalog trufflehog (secret scan, offline) hook shipped from this repo
(.pre-commit-hooks.yaml) false-positives on Rust build artifacts. On any host
that has run a release build, target/ exists (gitignored, untracked) and the
hook reads its binary blobs (libzerocopy-*.rlib, .rmeta, *.pdb), emitting
thousands of bogus "unverified" hits that block every git commit.

Reported in coilyco-bridge/agentic-os-kai#530. It blocked landing the .forgejo/
migration in coilysiren/repo-recall on a tower until rm -rf target/ (4.6GB,
fully reproducible). It affects every Rust-shaped consumer of this hook
(repo-recall, cli-guard, ward, coily).

Current hook entry

.pre-commit-hooks.yaml, id trufflehog:

entry: trufflehog git file://. --since-commit HEAD --no-verification --no-update --fail

Root cause

trufflehog's git file://. scan reads the working copy, and for untracked files
it does not consult .gitignore (upstream feature request trufflesecurity/trufflehog#3356
confirms trufflehog does not honor .gitignore). So gitignored target/ gets
walked. Removing target/ is what clears the hits, which proves the working-tree
read is the source.

Fix shape (verify empirically with a live trufflehog before landing)

This repo is the right home because the entry is centrally managed: consumers
carry it via the apply-agentic-os-hooks.py managed block, and that block is
regenerated with no per-hook args, so a consumer-side override does not survive.

Candidates, in rough order of preference:

  • --exclude-globs appended inline (travels with the shared entry, no per-repo
    file needed): e.g. --exclude-globs 'target/**,dist/**,build/**,node_modules/**'.
    Caveat to verify: --exclude-globs is documented as filtering at the git log
    level, so confirm it also suppresses the untracked working-tree read, not just
    committed objects.
  • --exclude-paths <file> of regexes (the pattern already used in
    agentic-os-kai's .github/workflows/trufflehog.yml CI scan: (^|/)target/,
    \.venv/, node_modules/, the cache dirs). Downside: needs a committed
    regex file each consumer carries, awkward for a shared entry.
  • Scope strictly to the staged diff so untracked files are never read.

The carrying agent should reproduce with cargo build --release + an empty
commit, pick whichever flag actually suppresses the working-tree read, and keep
real staged-secret detection intact (do not blanket --only-verified, the hook
is offline --no-verification).

Rollout (part of done)

Landing the entry change is not enough on its own. Consumers pin a rev:, so
after this lands and a release tag cuts, bump the pin fleet-wide via
make apply-agentic-os-hooks / apply-agentic-os-hooks.py --rev vX so Rust
repos actually receive the fix. Closing agentic-os-kai#530 depends on that
rollout reaching the affected repos.

Repro

cd <a Rust repo with this hook>
cargo build --release
git commit --allow-empty -m "trigger"   # blocks on trufflehog target/ hits

Filed from the agentic-os-kai#530 carry container, which is scoped to
agentic-os-kai and cannot push this repo. Cross-ref: coilyco-bridge/agentic-os-kai#530.

## Problem The catalog `trufflehog (secret scan, offline)` hook shipped from this repo (`.pre-commit-hooks.yaml`) false-positives on Rust build artifacts. On any host that has run a release build, `target/` exists (gitignored, untracked) and the hook reads its binary blobs (`libzerocopy-*.rlib`, `.rmeta`, `*.pdb`), emitting thousands of bogus "unverified" hits that block every `git commit`. Reported in coilyco-bridge/agentic-os-kai#530. It blocked landing the `.forgejo/` migration in `coilysiren/repo-recall` on a tower until `rm -rf target/` (4.6GB, fully reproducible). It affects every Rust-shaped consumer of this hook (repo-recall, cli-guard, ward, coily). ## Current hook entry `.pre-commit-hooks.yaml`, id `trufflehog`: entry: trufflehog git file://. --since-commit HEAD --no-verification --no-update --fail ## Root cause trufflehog's `git file://.` scan reads the working copy, and for untracked files it does not consult `.gitignore` (upstream feature request trufflesecurity/trufflehog#3356 confirms trufflehog does not honor `.gitignore`). So gitignored `target/` gets walked. Removing `target/` is what clears the hits, which proves the working-tree read is the source. ## Fix shape (verify empirically with a live trufflehog before landing) This repo is the right home because the entry is centrally managed: consumers carry it via the `apply-agentic-os-hooks.py` managed block, and that block is regenerated with no per-hook args, so a consumer-side override does not survive. Candidates, in rough order of preference: - `--exclude-globs` appended inline (travels with the shared entry, no per-repo file needed): e.g. `--exclude-globs 'target/**,dist/**,build/**,node_modules/**'`. Caveat to verify: `--exclude-globs` is documented as filtering at the `git log` level, so confirm it also suppresses the untracked working-tree read, not just committed objects. - `--exclude-paths <file>` of regexes (the pattern already used in agentic-os-kai's `.github/workflows/trufflehog.yml` CI scan: `(^|/)target/`, `\.venv/`, `node_modules/`, the cache dirs). Downside: needs a committed regex file each consumer carries, awkward for a shared entry. - Scope strictly to the staged diff so untracked files are never read. The carrying agent should reproduce with `cargo build --release` + an empty commit, pick whichever flag actually suppresses the working-tree read, and keep real staged-secret detection intact (do not blanket `--only-verified`, the hook is offline `--no-verification`). ## Rollout (part of done) Landing the entry change is not enough on its own. Consumers pin a `rev:`, so after this lands and a release tag cuts, bump the pin fleet-wide via `make apply-agentic-os-hooks` / `apply-agentic-os-hooks.py --rev vX` so Rust repos actually receive the fix. Closing agentic-os-kai#530 depends on that rollout reaching the affected repos. ## Repro cd <a Rust repo with this hook> cargo build --release git commit --allow-empty -m "trigger" # blocks on trufflehog target/ hits Filed from the agentic-os-kai#530 carry container, which is scoped to agentic-os-kai and cannot push this repo. Cross-ref: coilyco-bridge/agentic-os-kai#530.
Author
Owner

Duplicate of #288 (double-submit from the carry container). Tracking in #288.

Duplicate of #288 (double-submit from the carry container). Tracking in #288.
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/agentic-os#287
No description provided.