Update TruffleHog workflow to handle resolved secrets

GAdityaVarma · GAdityaVarma · commit 174b7d065ed0 · 2026-01-08T18:25:03.000+05:30
Adds a workflow step to update the PR comment when previously detected secrets are resolved, marking the PR as clear. Updates documentation to clarify that exclusion patterns are additive, describes the new comment update behavior, and improves the remediation and PR comment sections for clarity.
diff --git a/.github/workflows/trufflehog-scan.yml b/.github/workflows/trufflehog-scan.yml
@@ -164,6 +164,57 @@ Check the [workflow run logs](${{ github.server_url }}/${{ github.repository }}/
               });
             }
 
+      - name: Update PR comment when secrets resolved
+        if: steps.process.outputs.has_secrets == 'false' && github.event_name != 'workflow_dispatch'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const commentMarker = '<!-- TRUFFLEHOG-SCAN-COMMENT -->';
+            const commitSha = '${{ github.event.pull_request.head.sha }}';
+            const shortSha = commitSha.substring(0, 7);
+            const scanTime = new Date().toISOString().replace('T', ' ').substring(0, 19) + ' UTC';
+            
+            // Check if there's an existing alert comment from a previous failed scan
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+              per_page: 100
+            });
+            
+            const existing = comments.find(c => c.body && c.body.includes(commentMarker));
+            
+            // Only update if there was a previous alert - don't create new comments for clean scans
+            if (existing) {
+              const resolvedBody = `${commentMarker}
+## :white_check_mark: Secret Scanning Passed
+
+**Previously detected secrets have been resolved.**
+
+| Scan Details | |
+|--------------|---|
+| **Commit** | [\`${shortSha}\`](${{ github.server_url }}/${{ github.repository }}/commit/${commitSha}) |
+| **Scanned At** | ${scanTime} |
+| **Workflow Run** | [View Logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) |
+
+The secrets flagged in previous scans are no longer detected in the modified files.
+
+---
+*This PR is now clear of detected secrets. Remember to rotate any credentials that were previously exposed.*
+`;
+              
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existing.id,
+                body: resolvedBody
+              });
+              
+              console.log('Updated existing alert comment to show resolved status');
+            } else {
+              console.log('No previous alert comment found - scan passed cleanly');
+            }
+
       - name: Set commit status
         if: github.event_name != 'workflow_dispatch'
         uses: actions/github-script@v7
diff --git a/trufflehog_readme.md b/trufflehog_readme.md
@@ -88,14 +88,14 @@ Exclusions are configured via the `TRUFFLEHOG_EXCLUDES` variable using regex pat
 
 ## Override at Repository Level
 
-Individual repos can override org defaults:
+Individual repos can add additional exclusions on top of the defaults:
 
 1. Go to **Repository** > **Settings** > **Secrets and variables** > **Actions**
 2. Click **Variables** tab > **New repository variable**
 3. Name: `TRUFFLEHOG_EXCLUDES`
 4. Value: Your comma-separated regex patterns
 
-This completely replaces org-level patterns for that repository.
+**Exclusions are additive:** Your patterns are combined with the default exclusions. You don't need to repeat common patterns like `node_modules/` or `.lock` files.
 
 ## Default Exclusions
 
@@ -166,15 +166,22 @@ Determine PR Type
         Secrets found           No secrets found
               |                       |
               v                       v
-      Post PR comment          Set commit status
-      with findings               to success
-              |                       |
-              v                       v
-      Set commit status         PASS - PR allowed
-        to failure
-              |
-              v
-        FAIL - PR blocked
+      Post/Update PR           Check for previous
+      comment with               alert comment
+        findings                      |
+              |              +--------+--------+
+              |              |                 |
+              v              v                 v
+      Set commit status   Exists?           No comment
+        to failure           |             (clean PR)
+              |              v                 |
+              v         Update to             v
+        FAIL - PR       "Resolved"      Set commit status
+         blocked          status          to success
+                             |                 |
+                             v                 v
+                       Set commit        PASS - PR allowed
+                       to success
 ```
 
 **Scan scope:** Only files modified in the PR are scanned, not the entire repository.
@@ -190,12 +197,27 @@ TruffleHog classifies detected secrets into two categories:
 
 ## PR Comments
 
-When secrets are detected, the workflow automatically posts a comment on the PR with:
+The workflow manages PR comments to provide clear feedback throughout the remediation process:
+
+### When Secrets Are Detected
+
+A comment is posted with:
+- Commit SHA that was scanned
+- Timestamp of the scan
 - Link to workflow logs for detailed findings
 - Instructions for removing and rotating secrets
 - Information about file paths, line numbers, and secret types
 
-When no secrets are found, no comment is posted to keep the PR clean.
+### When Secrets Are Resolved
+
+If you fix the secrets and push again:
+- The **same comment is updated** to show a "Passed" status
+- Shows the new commit SHA that resolved the issue
+- Includes a reminder to rotate any previously exposed credentials
+
+### Clean PRs
+
+If a PR never had secrets detected, no comment is posted to keep the PR clean.
 
 ## Workflow Triggers
 
@@ -240,8 +262,9 @@ If the scan fails:
 2. **Rotate the secret** immediately (assume it's compromised)
 3. **Push the fix** to your PR branch
 4. Scan re-runs automatically
+5. PR comment updates to show "Resolved" status when fixed
 
-**For false positives:** Add the file/pattern to repo-level `TRUFFLEHOG_EXCLUDES` or request an update to org-level patterns.
+**For false positives:** Add the file/pattern to repo-level `TRUFFLEHOG_EXCLUDES` (patterns are additive to defaults).
 
 ## Manual Scan
 
