Add reusable TruffleHog secret scanning workflow #10
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: TruffleHog Secret Scanning | |
| # This workflow is designed to be enforced org-wide via GitHub rulesets | |
| # It calls the reusable TruffleHog workflow with sensible defaults for org-wide deployment | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| push: | |
| branches: | |
| - main | |
| - master | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| checks: write | |
| jobs: | |
| secret-scan: | |
| name: TruffleHog Secret Scan | |
| uses: ./.github/workflows/reusable-trufflehog.yml | |
| with: | |
| # Optimized settings for org-wide deployment | |
| scan-type: "filesystem" # Fast: current files only | |
| scan-scope: "changed-files" # PR-focused: only scan changes | |
| fail-on-verified: "true" # Always fail on real secrets | |
| fail-on-unverified: "false" # Lenient for org-wide adoption | |
| runs-on: "ubuntu-latest" # Standard runner | |
| secrets: inherit |