Skip to content

Update gcr.io/oss-fuzz-base/base-builder-python Docker digest to e0e18de #1599

Update gcr.io/oss-fuzz-base/base-builder-python Docker digest to e0e18de

Update gcr.io/oss-fuzz-base/base-builder-python Docker digest to e0e18de #1599

Workflow file for this run

name: trufflehog (secret scanning)
# Scan commits and PRs for accidentally-committed secrets (API keys,
# private keys, tokens). trufflehog is OSS / free for orgs too -
# gitleaks-action requires a paid GITLEAKS_LICENSE for organization
# accounts, so we use trufflehog as the public-org-friendly alternative.
#
# Ref: #1273
on:
push:
branches: [main]
pull_request:
schedule:
- cron: "23 6 * * 1" # Weekly, Monday 06:23 UTC
workflow_dispatch:
concurrency:
group: trufflehog-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
trufflehog:
name: trufflehog scan
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: read
pull-requests: read
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
# Full history so trufflehog can scan all commits introduced by
# the PR (it diffs base..head).
fetch-depth: 0
persist-credentials: false
- name: Run trufflehog
uses: trufflesecurity/trufflehog@d411fff7b8879a62509f3fa98c07f247ac089a51 # v3.95.5
with:
# Only report verified secrets - keeps signal-to-noise high and
# lets the job act as a hard gate. Unknown / unverified results
# are dominated by test-fixture connection strings like
# `postgres://user:pass@host` that trufflehog cannot probe but
# are not real credentials; gating on those forced every push
# to main red without a real leak.
extra_args: --results=verified