Version input should default to the action's release version, not latest

[martindolezal]

Problem

The version input in action.yml defaults to "latest":
https://github.com/trufflesecurity/trufflehog/blob/main/action.yml

inputs:
  version:
    default: "latest"
    description: Scan with this trufflehog cli version.
    required: false

This means that when users pin the action to a specific commit SHA (as recommended by GitHub's security hardening guide), the Docker image pulled at runtime is still ghcr.io/trufflesecurity/trufflehog:latest — a mutable tag that can change at any time.

For example, pinning to the v3.93.8 release SHA:
uses: trufflesecurity/trufflehog@6c05c4a00b91aa542267d8e32a8254774799d68d# v3.93.8
still results in the latest image being pulled, not v3.93.8. This is observable in the workflow logs. The action code is pinned, but the actual scanner binary running inside the container is not.

This creates a two-layer supply chain problem:

Action code — pinned via commit SHA ✅
Docker image — unpinned, defaults to latest ❌
Users who follow GitHub's recommendation to pin actions by SHA reasonably expect that this pins the entire behavior of the action, not just the wrapper script.

Current workaround
Users must manually specify the version input with a tag and digest:

uses: trufflesecurity/trufflehog@586f66d7886cd0b037c7c245d4a6e34ef357ab10 # v3.94.1
with:
  version: "3.94.1@sha256:c6cae63b2ff9254c5f06848d439e31902de625c14f4771d371deff4106688c60"

This works, but it requires users to manually look up image digests and maintain them separately from the action version — something tools like Dependabot cannot automate, since the version input is an opaque string in a with: block.

Proposed solution
Each tagged release should set the version default to its own release version with the image digest, making it fully immutable. For example, in the v3.94.1 release:

inputs:
  version:
    default: "3.94.1@sha256:c6cae63b2ff9254c5f06848d439e31902de625c14f4771d371deff4106688c60"
    description: Scan with this trufflehog cli version. Defaults to the action's release version pinned by image digest.
    required: false

This way, pinning the action SHA automatically pins the matching Docker image. The version input remains available as an override for users who need it, but the default is secure and deterministic.

Including the image digest in the default would probably require a two-phase release (build & push image first, write digest back to action.yml, then tag). If that's too disruptive or not possible, simply changing the default from "latest" to the release version tag (e.g., "3.94.1") would at least prevent unintentional version drift, though it doesn't protect against a compromised registry since tags are mutable. Only the digest provides true immutability.

This is especially relevant given recent supply chain attacks targeting security tooling:

• CVE-2026-33634 (Trivy, March 2026) — compromised credentials were used to publish malicious Docker images of the Trivy scanner, affecting CI/CD environments that pulled the compromised image. This is the exact attack vector that TruffleHog's latest default leaves open: even users who pin the action commit SHA would pull a compromised container image at runtime.
• tj-actions/changed-files (March 2025) — action tags were repointed to inject credential-stealing code, increasing industry awareness around SHA pinning.
  Many organizations are now auditing their workflows to ensure full supply chain integrity. TruffleHog, being a security tool itself, should lead by example — but the current latest default silently undermines that effort.