Add reusable TruffleHog secret scanning workflow #73
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Migrated from shared-workflows repo for better organization - Supports filesystem and git history scanning - Configurable scan scope (full-repo, changed-files, both) - Optimized with entropy filtering and exclusions - Posts PR comments and creates GitHub status checks - Ready for org rulesets integration
- Allows organizations to specify custom runners - Maintains backward compatibility with ubuntu-latest default - Enhances workflow flexibility for org-wide deployment
- Creates org-required-trufflehog.yml that calls the reusable workflow - Optimized settings for org-wide deployment (changed-files, lenient) - Designed to be enforced via GitHub organization rulesets - Maintains separation: reusable workflow for flexibility, required workflow for enforcement
This comment has been minimized.
This comment has been minimized.
- Add JSON validation before processing with jq - Handle invalid JSON gracefully with fallback values - Add error handling for all jq commands - Filter empty lines from NDJSON before conversion - Prevent 'Cannot index array with string' errors - Ensure workflow continues even with malformed TruffleHog output
- Changed from 'Organization Required - TruffleHog Secret Scan' - More user-friendly name for GitHub Actions UI - Cleaner appearance in org rulesets and status checks
This comment has been minimized.
This comment has been minimized.
Removed: - Debug/test code checking for test-secrets.txt - Excessive verbose logging and debug output - Unused verify-secrets input parameter - Redundant echo statements and file size checks - Overly verbose comments Benefits: - Cleaner, more professional output - Faster execution (less logging overhead) - Easier to read and maintain - Reduced noise in GitHub Actions logs
- Add scan scope and type to initial log message - Helps with debugging and understanding workflow execution - Minor improvement for better visibility into scan parameters
- Change comment identifier from workflow/job specific to static identifier - Use 'trufflehog-secret-scan-comment' instead of dynamic workflow names - Ensures all TruffleHog workflows can minimize each other's comments - Fixes issue where multiple TruffleHog workflows create duplicate comments
This comment has been minimized.
This comment has been minimized.
- Org rulesets are already enforcing TruffleHog scans - Prevents duplicate workflow executions - Keeps only the reusable workflow for flexibility - Eliminates duplicate status checks in PRs
- Org rulesets weren't set up yet, so removing this broke TruffleHog scans - Restore the workflow to maintain security scanning - Will remove this once org rulesets are properly configured - Keeps TruffleHog protection active in the meantime
This comment has been minimized.
This comment has been minimized.
- Eliminates duplicate check runs that cause 'No check run found' errors - Workflow job status already provides all necessary information - Prevents confusion between automatic job checks and custom checks - Fixes check run ID mismatch issues when clicking on status checks
This comment has been minimized.
This comment has been minimized.
- Contains fake/invalid secrets with common patterns - Designed to trigger TruffleHog detectors for testing - Safe for testing - no real credentials - Includes AWS, GitHub, Slack, API keys, and other common patterns
This comment has been minimized.
This comment has been minimized.
- Add comment to ensure file shows as changed in PR - Should trigger TruffleHog scan on changed files - Contains multiple fake secret patterns for testing
- Temporarily change from changed-files to full-repo - Ensures TruffleHog scans the entire repository including test secrets - Should detect the fake secrets in test-secrets-sample.txt
This comment has been minimized.
This comment has been minimized.
1 similar comment
This comment has been minimized.
This comment has been minimized.
- Lower entropy filtering from 3.0 to 2.0 for better detection - Remove --filter-unverified flag to catch more potential secrets - Update test secrets with more realistic patterns and higher entropy - Add JWT token and improve existing secret patterns - Should now detect the test secrets properly
This comment has been minimized.
This comment has been minimized.
- Show .txt files found in directory - Display filesystem scan results file size - Help diagnose why test-secrets-sample.txt isn't being detected - Temporary debugging to understand scan behavior
This comment has been minimized.
This comment has been minimized.
- Remove entropy filtering that was blocking detection - Add 'unknown' results to catch all potential secrets - Remove --filter-unverified flag completely - Simplified scan commands to be more aggressive - Should now detect test secrets in .txt files
- Updated TRUFFLEHOG_VERSION to use ratchet format - Follows same pattern as zizmor workflow - Renovate will automatically update TruffleHog to latest versions - Format: # ratchet:trufflesecurity/[email protected]
This comment has been minimized.
This comment has been minimized.
- Changed from ratchet format to proper Renovate datasource format - Uses 'datasource=github-releases depName=trufflesecurity/trufflehog' - Matches the pattern used in shared-workflows/reusable-zizmor.yml - Renovate will now properly track TruffleHog GitHub releases
This comment has been minimized.
This comment has been minimized.
- Added regex matcher to detect '# renovate: datasource=...' patterns - Matches the same pattern used in shared-workflows - Will automatically update TRUFFLEHOG_VERSION when new releases are available - Enables automated dependency management for security tools
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Pull Request Overview
Introduces organization-wide and reusable TruffleHog secret scanning workflows plus supporting pre-commit script and Renovate configuration. Key changes center on adding a parameterized reusable workflow, an org-enforced wrapper workflow, an enhanced local/pre-commit scanning script, and a Renovate custom manager for maintaining TruffleHog versions.
- Added reusable GitHub Actions workflow for flexible TruffleHog scanning (with reporting and failure policies)
- Added org-required wrapper workflow invoking the reusable workflow with opinionated defaults
- Enhanced pre-commit TruffleHog script and added Renovate regex manager to track versions/digests
Reviewed Changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| renovate.json | Adds custom regex manager to let Renovate track TruffleHog image/tool versions in workflow files. |
| pre-commit/trufflehog.sh | Replaces simple invocation with configurable, JSON-processing scanner including custom detectors and exclusion logic. |
| .github/workflows/reusable-trufflehog.yml | New reusable workflow implementing scoped or full-repo scans, PR commenting, artifact generation, and failure policy controls. |
| .github/workflows/org-required-trufflehog.yml | Org-level wrapper invoking the reusable workflow with standard org-wide defaults. |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
- Removed all the complex Grafana-specific patterns and configuration - Removed custom canary token detection and alerts - Removed colored output and verbose logging - Back to the clean, simple Docker-based script - Focuses on core TruffleHog functionality without extras
This comment has been minimized.
This comment has been minimized.
- Updated from 3.82.13 to 3.89.2 (latest available) - Includes several months of security fixes and improvements - Renovate will handle future updates automatically
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 4 out of 5 changed files in this pull request and generated 7 comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Co-authored-by: Copilot <[email protected]>
- Replace unpinned install script with direct binary download from GitHub releases - Eliminates risk of mutable main branch script being compromised - Downloads specific versioned binary directly from trusted GitHub releases - More secure and deterministic installation process - Addresses supply chain security best practices
- Replace invalid hash with correct commit hash for v4.4.0 - Fixes workflow execution error where action could not be found - Uses proper SHA commit hash for security pinning
This comment has been minimized.
This comment has been minimized.
Co-authored-by: Copilot <[email protected]>
This comment has been minimized.
This comment has been minimized.
Co-authored-by: James C <[email protected]>
This comment has been minimized.
This comment has been minimized.
- Include pre-commit/*.sh files in Renovate file matching - Will now automatically update TruffleHog versions in shell scripts - Ensures consistent version management across all TruffleHog usage
|
TruffleHog Scan Results No secrets detected in this PR. |
jamesc-grafana
approved these changes
Oct 1, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request introduces a comprehensive overhaul of secret scanning infrastructure for the repository, focusing on both CI/CD and developer workflows. The main improvements is the addition of a reusable GitHub Actions for TruffleHog-based secret scanning, and Renovate configuration to keep TruffleHog dependencies up to date.
Secret scanning infrastructure:
.github/workflows/org-required-trufflehog.ymlto enforce TruffleHog secret scanning on all pull requests and pushes tomain, using a reusable workflow and sensible defaults for organization-wide adoption..github/workflows/reusable-trufflehog.yml, a parameterized, reusable workflow for TruffleHog scanning that supports custom runner selection, configurable failure policies, PR commenting, artifact upload, and detailed reporting.Dependency management:
renovate.jsonto add a custom manager for tracking TruffleHog versions and digests in GitHub Actions workflows.