feat: replace --only-verified with --results in docs/precommit (#3643)

Co-authored-by: Cody Rose <[email protected]>

Author: rgmz

.pre-commit-hooks.yaml

@@ -1,6 +1,6 @@
 - id: trufflehog
   name: TruffleHog
   description: Detect secrets in your data with TruffleHog.
-  entry: trufflehog git file://. --since-commit HEAD --only-verified --fail
+  entry: trufflehog git file://. --since-commit HEAD --results=verified --fail
   language: golang
-  pass_filenames: false
+  pass_filenames: false

README.md

@@ -185,7 +185,7 @@ This required Cosign binary to be installed prior to running installation script
 Command:
 
 ```bash
-trufflehog git https://github.com/trufflesecurity/test_keys --only-verified
+trufflehog git https://github.com/trufflesecurity/test_keys --results=verified,unknown
 ```
 
 Expected output:
@@ -209,15 +209,15 @@ Timestamp: 2022-06-16 10:17:40 -0700 PDT
 ## 2: Scan a GitHub Org for only verified secrets
 
 ```bash
-trufflehog github --org=trufflesecurity --only-verified
+trufflehog github --org=trufflesecurity --results=verified,unknown
 ```
 
 ## 3: Scan a GitHub Repo for only verified keys and get JSON output
 
 Command:
 
 ```bash
-trufflehog git https://github.com/trufflesecurity/test_keys --only-verified --json
+trufflehog git https://github.com/trufflesecurity/test_keys --results=verified,unknown --json
 ```
 
 Expected output:
@@ -236,7 +236,7 @@ trufflehog github --repo=https://github.com/trufflesecurity/test_keys --issue-co
 ## 5: Scan an S3 bucket for verified keys
 
 ```bash
-trufflehog s3 --bucket=<bucket name> --only-verified
+trufflehog s3 --bucket=<bucket name> --results=verified,unknown
 ```
 
 ## 6: Scan S3 buckets using IAM Roles
@@ -272,23 +272,23 @@ $ trufflehog git file://test_keys --only-verified
 ## 10: Scan GCS buckets for verified secrets
 
 ```bash
-trufflehog gcs --project-id=<project-ID> --cloud-environment --only-verified
+trufflehog gcs --project-id=<project-ID> --cloud-environment --results=verified,unknown
 ```
 
 ## 11: Scan a Docker image for verified secrets
 
 Use the `--image` flag multiple times to scan multiple images.
 
 ```bash
-trufflehog docker --image trufflesecurity/secrets --only-verified
+trufflehog docker --image trufflesecurity/secrets --results=verified,unknown
 ```
 
 ## 12: Scan in CI
 
 Set the `--since-commit` flag to your default branch that people merge into (ex: "main"). Set the `--branch` flag to your PR's branch name (ex: "feature-1"). Depending on the CI/CD platform you use, this value can be pulled in dynamically (ex: [CIRCLE_BRANCH in Circle CI](https://circleci.com/docs/variables/) and [TRAVIS_PULL_REQUEST_BRANCH in Travis CI](https://docs.travis-ci.com/user/environment-variables/)). If the repo is cloned and the target branch is already checked out during the CI/CD workflow, then `--branch HEAD` should be sufficient. The `--fail` flag will return an 183 error code if valid credentials are found.
 
 ```bash
-trufflehog git file://. --since-commit main --branch feature-1 --only-verified --fail
+trufflehog git file://. --since-commit main --branch feature-1 --results=verified,unknown --fail
 ```
 
 ## 13: Scan a Postman workspace
@@ -429,7 +429,7 @@ Flags:
       --github-actions      Output in GitHub Actions format.
       --concurrency=20           Number of concurrent workers.
       --no-verification     Don't verify the results.
-      --only-verified       Only output verified results.
+      --results=RESULTS          Specifies which type(s) of results to output: verified, unknown, unverified, filtered_unverified. Defaults to all types.
       --allow-verification-overlap
                                  Allow verification of similar credentials across detectors
       --filter-unverified   Only output first unverified result per chunk per detector if there are more than one results.
@@ -526,7 +526,7 @@ jobs:
     - name: Secret Scanning
       uses: trufflesecurity/trufflehog@main
       with:
-        extra_args: --only-verified
+        extra_args: --results=verified,unknown
 ```
 
 In the example config above, we're scanning for live secrets in all PRs and Pushes to `main`. Only code changes in the referenced commits are scanned. If you'd like to scan an entire branch, please see the "Advanced Usage" section below.
@@ -553,7 +553,7 @@ If you're incorporating TruffleHog into a standalone workflow and aren't running
           fetch-depth: ${{env.depth}}
       - uses: trufflesecurity/trufflehog@main
         with:
-          extra_args: --only-verified
+          extra_args: --results=verified,unknown
 ...
 ```
 
@@ -578,7 +578,7 @@ TruffleHog statically detects [https://canarytokens.org/](https://canarytokens.o
     # Scan commits until here (usually dev branch).
     head: # optional
     # Extra args to be passed to the trufflehog cli.
-    extra_args: --log-level=2 --only-verified
+    extra_args: --log-level=2 --results=verified,unknown
 ```
 
 If you'd like to specify specific `base` and `head` refs, you can use the `base` argument (`--since-commit` flag in TruffleHog CLI) and the `head` argument (`--branch` flag in the TruffleHog CLI). We only recommend using these arguments for very specific use cases, where the default behavior does not work.
@@ -591,7 +591,7 @@ If you'd like to specify specific `base` and `head` refs, you can use the `base`
         with:
           base: ""
           head: ${{ github.ref_name }}
-          extra_args: --only-verified
+          extra_args: --results=verified,unknown
 ```
 
 ## TruffleHog GitLab CI
@@ -612,7 +612,7 @@ security-secrets:
     - apk add --no-cache git curl jq
     - curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
   script:
-    - trufflehog filesystem "$SCAN_PATH" --only-verified --fail --json | jq
+    - trufflehog filesystem "$SCAN_PATH" --results=verified,unknown --fail --json | jq
   rules:
     - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
 ```
@@ -637,9 +637,9 @@ repos:
       - id: trufflehog
         name: TruffleHog
         description: Detect secrets in your data.
-        entry: bash -c 'trufflehog git file://. --since-commit HEAD --only-verified --fail'
+        entry: bash -c 'trufflehog git file://. --since-commit HEAD --results=verified,unknown --fail'
         # For running trufflehog in docker, use the following entry instead:
-        # entry: bash -c 'docker run --rm -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --since-commit HEAD --only-verified --fail'
+        # entry: bash -c 'docker run --rm -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --since-commit HEAD --results=verified,unknown --fail'
         language: system
         stages: ["commit", "push"]
 ```
@@ -678,7 +678,7 @@ detectors:
 ```
 
 ```
-$ trufflehog filesystem /tmp --config config.yaml --only-verified
+$ trufflehog filesystem /tmp --config config.yaml --results=verified,unknown
 🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷
 
 Found verified result 🐷🔑

main.go

@@ -53,8 +53,8 @@ var (
 	gitHubActionsFormat = cli.Flag("github-actions", "Output in GitHub Actions format.").Bool()
 	concurrency         = cli.Flag("concurrency", "Number of concurrent workers.").Default(strconv.Itoa(runtime.NumCPU())).Int()
 	noVerification      = cli.Flag("no-verification", "Don't verify the results.").Bool()
-	onlyVerified        = cli.Flag("only-verified", "Only output verified results.").Bool()
-	results             = cli.Flag("results", "Specifies which type(s) of results to output: verified, unknown, unverified. Defaults to all types.").Hidden().String()
+	onlyVerified        = cli.Flag("only-verified", "Only output verified results.").Hidden().Bool()
+	results             = cli.Flag("results", "Specifies which type(s) of results to output: verified, unknown, unverified, filtered_unverified. Defaults to all types.").String()
 
 	allowVerificationOverlap   = cli.Flag("allow-verification-overlap", "Allow verification of similar credentials across detectors").Bool()
 	filterUnverified           = cli.Flag("filter-unverified", "Only output first unverified result per chunk per detector if there are more than one results.").Bool()