Add reusable TruffleHog secret scanning workflow #28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: TruffleHog Secret Scanning | |
| # This workflow is designed to be enforced org-wide via GitHub rulesets | |
| # It calls the reusable TruffleHog workflow with sensible defaults for org-wide deployment | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| push: | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| checks: write | |
| jobs: | |
| secret-scan: | |
| name: TruffleHog Secret Scan | |
| uses: ./.github/workflows/reusable-trufflehog.yml | |
| with: | |
| # Simplified workflow - only what you need | |
| fail-on-verified: "true" # Always fail on real secrets | |
| fail-on-unverified: "false" # Lenient for org-wide adoption | |
| runs-on: "ubuntu-x64-large" # Large runner for better performance | |
| secrets: inherit |