Skip to content

Commit f610f23

Browse files
committed
Update trufflehog_readme.md
1 parent cbfc2c8 commit f610f23

File tree

1 file changed

+36
-12
lines changed

1 file changed

+36
-12
lines changed

trufflehog_readme.md

Lines changed: 36 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,18 @@ Centralized GitHub Actions workflow that automatically scans all pull requests f
1616
- Classifies secrets as verified (confirmed active) or unverified (potential match)
1717

1818
## Setup
19+
20+
### Required Permissions
21+
22+
The workflow requires these GitHub token permissions:
23+
24+
| Permission | Access | Purpose |
25+
|------------|--------|----------|
26+
| `contents` | read | Checkout repository and fetch PR commits |
27+
| `pull-requests` | write | Post and update PR comments |
28+
29+
These are configured in the workflow file and apply automatically.
30+
1931
### Set Default Exclusions (Optional)
2032

2133
Set organization-wide exclusion patterns:
@@ -151,23 +163,30 @@ Parse results and create annotations
151163
secrets found secrets only found
152164
| | |
153165
v v v
154-
Error annotations Warning annotations Check for
155-
on files on files previous comment
166+
Error annotations Warning annotations Check for previous
167+
(red) on files (yellow) on files CRITICAL comment
156168
| | |
157169
v v +-----+-----+
158170
Post CRITICAL Post Warning | |
159171
PR comment PR comment v v
160-
(blocking) (non-blocking) Was it No previous
161-
| | CRITICAL? comment
172+
(blocking) (non-blocking) Was Not blocking
173+
| | CRITICAL? or no comment
162174
v v | |
163175
FAIL workflow PASS workflow v v
164-
PR blocked PR can proceed Update to Do nothing
165-
"Passed" (clean PR)
166-
|
176+
PR blocked PR allowed Update to Do nothing
177+
"Passed" (keep warning
178+
| if exists)
167179
v
168180
PASS workflow
169181
```
170182

183+
**Key behaviors:**
184+
- **Verified secrets** → Error annotations + CRITICAL comment + workflow fails
185+
- **Unverified only** → Warning annotations + Warning comment + workflow passes
186+
- **Clean after CRITICAL** → Comment updated to "Passed"
187+
- **Clean after Warning** → Warning comment stays (for visibility)
188+
- **Always clean** → No comment posted
189+
171190
**Scan scope:** Only files modified in the PR are scanned, not the entire repository.
172191

173192
## Secret Classification
@@ -276,11 +295,16 @@ The workflow fully supports PRs from forked repositories:
276295
## Viewing Results
277296

278297
1. Go to the **Pull Request** > **Checks** tab
279-
2. Look for **TruffleHog Secret Scan** commit status
280-
3. If secrets are found:
281-
- A PR comment will be posted with remediation steps
282-
- Click the status link to view detailed logs
283-
4. View logs for:
298+
2. Look for **TruffleHog Secret Scan / Scan PR for Secrets**
299+
3. Check the workflow result:
300+
- **Failed** = Verified secrets found (PR blocked)
301+
- **Passed with warnings** = Only unverified secrets (review recommended)
302+
- **Passed** = No secrets detected
303+
4. If secrets are found:
304+
- Check the **Annotations** panel for file/line locations
305+
- Review the PR comment for remediation steps
306+
- Click the workflow link to view detailed logs
307+
5. Logs show:
284308
- Applied exclusion patterns
285309
- Detected secrets (file, line, secret type)
286310
- Verification status (verified = confirmed active)

0 commit comments

Comments
 (0)