From 4d122ab672d92fc8dd92757bb8ef9ee4e8ffd32d Mon Sep 17 00:00:00 2001 From: Brijesh Kumar Patel Date: Thu, 18 Dec 2025 12:26:09 +0530 Subject: [PATCH 1/5] PDP-684: TruffleHog workflow checked in --- .github/workflows/trufflehog-scan.yml | 33 +++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/workflows/trufflehog-scan.yml diff --git a/.github/workflows/trufflehog-scan.yml b/.github/workflows/trufflehog-scan.yml new file mode 100644 index 0000000..8c32321 --- /dev/null +++ b/.github/workflows/trufflehog-scan.yml @@ -0,0 +1,33 @@ +name: TruffleHog Scan +on: + workflow_call: + +jobs: + trufflehog-scan: + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 0 + + - name: Prepare scan arguments + id: prep + shell: bash + run: | + ARGS="--json --fail" + # Only add exclude-paths if file exists + if [ -f ".trufflehog-exclude" ]; then + ARGS="$ARGS --exclude-paths=.trufflehog-exclude" + fi + echo "args=${ARGS}" >> "$GITHUB_OUTPUT" + + - name: Secret Scanning + uses: trufflesecurity/trufflehog@main + with: + base: ${{ github.event.pull_request.base.sha }} + head: ${{ github.event.pull_request.head.sha }} + extra_args: ${{ steps.prep.outputs.args }} \ No newline at end of file From 5407f97b8f766845d6ffc6070ebd21bb105b7df3 Mon Sep 17 00:00:00 2001 From: Brijesh Kumar Patel Date: Thu, 18 Dec 2025 12:33:41 +0530 Subject: [PATCH 2/5] PDP-684: Template updated, added trufflehog --- templates/pr-workflow.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/templates/pr-workflow.yml b/templates/pr-workflow.yml index 9dd50b5..b10103d 100644 --- a/templates/pr-workflow.yml +++ b/templates/pr-workflow.yml @@ -20,4 +20,11 @@ jobs: permissions: contents: read pull-requests: write - issues: write \ No newline at end of file + issues: write + trufflehog-scan: + name: TruffleHog Scan + uses: marklogic/pr-workflows/.github/workflows/trufflehog-scan.yml@main + permissions: + contents: read + + \ No newline at end of file From c8fd6b0c1432741280eb2dd76e297050713a4acb Mon Sep 17 00:00:00 2001 From: Brijesh Kumar Patel Date: Thu, 18 Dec 2025 13:36:41 +0530 Subject: [PATCH 3/5] PDP-684: Updated TurffleHog workflow, add information how to exclude file or folders --- .github/workflows/trufflehog-scan.yml | 38 ++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/.github/workflows/trufflehog-scan.yml b/.github/workflows/trufflehog-scan.yml index 8c32321..ca25a97 100644 --- a/.github/workflows/trufflehog-scan.yml +++ b/.github/workflows/trufflehog-scan.yml @@ -1,4 +1,9 @@ +# Copyright (c) 2003-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved +# TruffleHog Secret Scanning - Reusable Workflow +# This workflow scans for secrets in pull request changes +# Note: This workflow expects to be called from a pull_request event context name: TruffleHog Scan + on: workflow_call: @@ -22,6 +27,9 @@ jobs: # Only add exclude-paths if file exists if [ -f ".trufflehog-exclude" ]; then ARGS="$ARGS --exclude-paths=.trufflehog-exclude" + echo "Using exclusion file: .trufflehog-exclude" + else + echo "No exclusion file found, scanning all files" fi echo "args=${ARGS}" >> "$GITHUB_OUTPUT" @@ -30,4 +38,32 @@ jobs: with: base: ${{ github.event.pull_request.base.sha }} head: ${{ github.event.pull_request.head.sha }} - extra_args: ${{ steps.prep.outputs.args }} \ No newline at end of file + extra_args: ${{ steps.prep.outputs.args }} + +# ------------------------------------------------------------------------------ +# HOW TO EXCLUDE FILES/FOLDERS +# ------------------------------------------------------------------------------ +# Create a .trufflehog-exclude file in your repository root with patterns: +# +# Example .trufflehog-exclude content: +# # Exclude specific files +# path/to/file.txt +# config/secrets.example.env +# +# # Exclude entire folders +# tests/fixtures/** +# **/test_data/** +# +# # Exclude by pattern +# *.test.env +# **/*.example +# +# # Exclude documentation +# docs/** +# +# Patterns follow .gitignore syntax: +# - ** matches any number of directories +# - * matches any characters except / +# - One pattern per line +# - Lines starting with # are comments +# ------------------------------------------------------------------------------ \ No newline at end of file From 55cac6213d5dd0554bbdba49d9ab83e1f6742d41 Mon Sep 17 00:00:00 2001 From: Brijesh Kumar Patel Date: Tue, 30 Dec 2025 10:47:30 +0530 Subject: [PATCH 4/5] PDP-684: TruffleHog Scan Workflow updated, updated exclude option --- .github/workflows/trufflehog-scan.yml | 101 +++++++++++++++++++++----- 1 file changed, 82 insertions(+), 19 deletions(-) diff --git a/.github/workflows/trufflehog-scan.yml b/.github/workflows/trufflehog-scan.yml index ca25a97..87b4fba 100644 --- a/.github/workflows/trufflehog-scan.yml +++ b/.github/workflows/trufflehog-scan.yml @@ -23,15 +23,37 @@ jobs: id: prep shell: bash run: | - ARGS="--json --fail" - # Only add exclude-paths if file exists + set -e + ARGS="" + + # Option 1: Regex patterns file (advanced users) if [ -f ".trufflehog-exclude" ]; then - ARGS="$ARGS --exclude-paths=.trufflehog-exclude" - echo "Using exclusion file: .trufflehog-exclude" - else - echo "No exclusion file found, scanning all files" + ARGS="--exclude-paths=.trufflehog-exclude" + echo "Using regex exclusions: .trufflehog-exclude" fi - echo "args=${ARGS}" >> "$GITHUB_OUTPUT" + + # Option 2: Glob patterns file (easier for most users) + if [ -f ".trufflehog-exclude-globs" ]; then + PATTERNS=$(grep -v '^#' .trufflehog-exclude-globs | grep -v '^[[:space:]]*$' | tr '\n' ',' | sed 's/,$//' || true) + if [ -n "$PATTERNS" ]; then + if [ -n "$ARGS" ]; then + ARGS="$ARGS --exclude-globs=$PATTERNS" + else + ARGS="--exclude-globs=$PATTERNS" + fi + echo "Using glob exclusions: $PATTERNS" + fi + fi + + if [ -z "$ARGS" ]; then + echo "No exclusion files found, scanning all files" + fi + + { + echo "args<> "$GITHUB_OUTPUT" - name: Secret Scanning uses: trufflesecurity/trufflehog@main @@ -41,29 +63,70 @@ jobs: extra_args: ${{ steps.prep.outputs.args }} # ------------------------------------------------------------------------------ -# HOW TO EXCLUDE FILES/FOLDERS +# HOW TO EXCLUDE FILES/FOLDERS - TWO OPTIONS +# ------------------------------------------------------------------------------ +# +# OPTION 1 (RECOMMENDED): Glob Patterns - .trufflehog-exclude-globs # ------------------------------------------------------------------------------ -# Create a .trufflehog-exclude file in your repository root with patterns: +# Create a .trufflehog-exclude-globs file with glob patterns (one per line): # -# Example .trufflehog-exclude content: +# Example .trufflehog-exclude-globs: # # Exclude specific files -# path/to/file.txt -# config/secrets.example.env +# src/config.example.env +# tests/data/secrets.txt +# +# # Exclude by wildcard +# *.test.env +# *.example +# *.lock # -# # Exclude entire folders +# # Exclude folders and subfolders # tests/fixtures/** # **/test_data/** -# -# # Exclude by pattern -# *.test.env -# **/*.example +# node_modules/** +# dist/** # # # Exclude documentation # docs/** +# *.md # -# Patterns follow .gitignore syntax: -# - ** matches any number of directories +# Glob pattern rules: +# - ** matches any number of directories (recursive) # - * matches any characters except / # - One pattern per line # - Lines starting with # are comments +# +# ------------------------------------------------------------------------------ +# OPTION 2 (ADVANCED): Regex Patterns - .trufflehog-exclude +# ------------------------------------------------------------------------------ +# Create a .trufflehog-exclude file with regex patterns (one per line): +# +# Example .trufflehog-exclude: +# # Exclude specific files +# ^src/config\.example\.env$ +# ^tests/data/secrets\.txt$ +# +# # Exclude by extension +# \.test\.env$ +# \.example$ +# \.lock$ +# +# # Exclude folders (any depth) +# ^tests/fixtures/ +# /test_data/ +# node_modules/ +# ^dist/ +# +# # Exclude documentation +# ^docs/ +# \.md$ +# +# Regex pattern rules: +# - Use proper regex escaping (e.g., \. for literal dot) +# - ^ matches start of path, $ matches end +# - One pattern per line +# - Lines starting with # are comments +# +# ------------------------------------------------------------------------------ +# You can use both files simultaneously - patterns from both will be applied # ------------------------------------------------------------------------------ \ No newline at end of file From d37a9637d9f8e23311518c98e5e234b1469d9c57 Mon Sep 17 00:00:00 2001 From: brijeshp56 Date: Tue, 30 Dec 2025 10:50:39 +0530 Subject: [PATCH 5/5] Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- templates/pr-workflow.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/templates/pr-workflow.yml b/templates/pr-workflow.yml index b10103d..7400d1c 100644 --- a/templates/pr-workflow.yml +++ b/templates/pr-workflow.yml @@ -25,6 +25,4 @@ jobs: name: TruffleHog Scan uses: marklogic/pr-workflows/.github/workflows/trufflehog-scan.yml@main permissions: - contents: read - - \ No newline at end of file + contents: read \ No newline at end of file