Add automated secret detection with TruffleHog

[claytoncollie]

Is your enhancement related to a problem? Please describe.

We need to prevent secrets and API keys from being committed to our codebase. While we're careful, credentials can slip through during development. Adding a TruffleHog GitHub Action to our CI/CD pipeline will help prevent this. The workflow will scan commits for exposed secrets, block merges when secrets are detected, and run automatically on pull requests. This automated check will catch leaked credentials before they reach production, prevent security vulnerabilities, and maintain our code quality standards.

Here is what I am using in an existing project.

name: Secret Scanning

on:
  pull_request:

jobs:
  trufflehog:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Trufflehog exclusions
        run: |
            if [ ! -f .trufflehog-exclude.txt ]; then
              echo "# Paths to exclude from TruffleHog scanning" > .trufflehog-exclude.txt
              echo "node_modules/" >> .trufflehog-exclude.txt
              echo "vendor/" >> .trufflehog-exclude.txt
              echo "dist/" >> .trufflehog-exclude.txt
              echo "build/" >> .trufflehog-exclude.txt
            fi

      - name: Run Trufflehog on latest commits
        id: trufflehog
        uses: trufflesecurity/trufflehog@main
        continue-on-error: true
        with:
          path: ./
          extra_args: --results=verified,unknown --exclude-paths .trufflehog-exclude.txt

      - name: Trufflehog Scan Failure
        if: steps.trufflehog.outcome == 'failure'
        run: exit 1

Designs

No response

Describe alternatives you've considered

No response

Code of Conduct

• I agree to follow this project's Code of Conduct