Update trufflehog-scan.yml

Author: GAdityaVarma

.github/workflows/trufflehog-scan.yml

@@ -60,15 +60,16 @@ jobs:
       - name: Setup exclude config
         id: config
         run: |
-          if [ -n "${{ vars.TRUFFLEHOG_EXCLUDES }}" ]; then
-            echo "Using repo/org-level TRUFFLEHOG_EXCLUDES variable"
-            # Support both comma-separated and newline-separated patterns
-            echo "${{ vars.TRUFFLEHOG_EXCLUDES }}" | tr ',' '\n' | sed '/^$/d' > .trufflehog-ignore
-          else
-            echo "Using default exclusions from central workflow"
-            cat << 'EOF' > .trufflehog-ignore
+          # Always include default exclusions first
+          echo "Adding default exclusions..."
+          cat << 'EOF' > .trufflehog-ignore
           ${{ env.DEFAULT_EXCLUDES }}
           EOF
+          
+          # Append user-defined exclusions if set (additive, not replacement)
+          if [ -n "${{ vars.TRUFFLEHOG_EXCLUDES }}" ]; then
+            echo "Adding repo/org-level TRUFFLEHOG_EXCLUDES patterns..."
+            echo "${{ vars.TRUFFLEHOG_EXCLUDES }}" | tr ',' '\n' | sed '/^$/d' >> .trufflehog-ignore
           fi
           
           echo "Exclusion patterns:"
@@ -105,27 +106,37 @@ jobs:
         with:
           script: |
             const commentMarker = '<!-- TRUFFLEHOG-SCAN-COMMENT -->';
+            const commitSha = '${{ github.event.pull_request.head.sha }}';
+            const shortSha = commitSha.substring(0, 7);
+            const scanTime = new Date().toISOString().replace('T', ' ').substring(0, 19) + ' UTC';
+            
             const body = `${commentMarker}
-            ## :rotating_light: Secret Scanning Alert
-
-            **TruffleHog detected potential secrets in this pull request.**
-
-            ### What to do:
-            1. **Review the workflow logs** for detailed findings (file, line number, secret type)
-            2. **Remove the exposed secret** from your code
-            3. **Rotate the credential immediately** - assume it's compromised
-            4. **Push the fix** to this branch
-
-            ### Finding Details
-            Check the [workflow run logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for:
-            - File paths containing secrets
-            - Line numbers
-            - Secret types (API key, password, token, etc.)
-            - Verification status (verified = confirmed active)
-
-            ---
-            *This scan only checks files modified in this PR. Secrets are classified as **verified** (confirmed active) or **unverified** (potential match).*
-            `;
+## :rotating_light: Secret Scanning Alert
+
+**TruffleHog detected potential secrets in this pull request.**
+
+| Scan Details | |
+|--------------|---|
+| **Commit** | [\`${shortSha}\`](${{ github.server_url }}/${{ github.repository }}/commit/${commitSha}) |
+| **Scanned At** | ${scanTime} |
+| **Workflow Run** | [View Logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) |
+
+### What to do:
+1. **Remove the exposed secret** from your code
+2. **Rotate the credential immediately** - assume it's compromised
+3. **Push the fix** to this branch
+4. The scan will re-run automatically
+
+### Finding Details
+Check the [workflow run logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for:
+- File paths containing secrets
+- Line numbers
+- Secret types (API key, password, token, etc.)
+- Verification status (verified = confirmed active)
+
+---
+*Only files modified in this PR were scanned. Secrets are classified as **verified** (confirmed active) or **unverified** (potential match).*
+`;
 
             // Find existing comment
             const { data: comments } = await github.rest.issues.listComments({