PDP-684 Add TruffleHog secret scanning workflow for PR validation #16
Conversation
Introduces a centralized GitHub Actions workflow for scanning pull requests for secrets using TruffleHog. Includes a detailed README with setup instructions, exclusion pattern configuration, override options, and troubleshooting guidance.
The workflow now posts PR comments with secret scan findings, sets commit status to pass/fail, and provides clearer merge blocking. Documentation was updated and renamed to trufflehog_readme.md to reflect new features, including secret classification and improved fork PR support.
There was a problem hiding this comment.
Pull request overview
This PR introduces a centralized TruffleHog secret scanning workflow that automatically validates pull requests across the organization by detecting exposed secrets such as API keys, passwords, and tokens. The workflow runs on all PRs, posts detailed findings as comments when secrets are detected, and sets commit statuses to block merges when necessary.
Key Changes:
- Implements GitHub Actions workflow with dual triggers (
pull_requestandpull_request_target) to handle both same-repo and fork PRs - Configurable exclusion patterns via
TRUFFLEHOG_EXCLUDESvariable with org-level defaults and repo-level overrides - Automated PR commenting with remediation steps and commit status updates based on scan results
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
trufflehog_readme.md |
Comprehensive documentation covering setup, configuration, exclusion patterns, workflow triggers, and troubleshooting |
.github/workflows/trufflehog-scan.yml |
GitHub Actions workflow implementing secret scanning with TruffleHog, exclusion handling, result processing, and PR status updates |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
GAdityaVarma
requested review from
Pragathi-28 and
brijeshp56
and removed request for
Copilot
Co-authored-by: Copilot <[email protected]>
| echo "${{ vars.TRUFFLEHOG_EXCLUDES }}" | tr ',' '\n' | sed '/^$/d' > .trufflehog-ignore | ||
| else | ||
| echo "Using default exclusions from central workflow" | ||
| cat << 'EOF' > .trufflehog-ignore |
There was a problem hiding this comment.
Isn't it better to include the defaults always?
There was a problem hiding this comment.
Good catch! Updated the logic to make exclusions additive instead of replacement.
| echo "description=No secrets detected in PR changes" >> $GITHUB_OUTPUT | ||
| fi | ||
| - name: Post PR comment on findings |
There was a problem hiding this comment.
Do we really need a comment? Can't we just rely on annotations?
There was a problem hiding this comment.
Why PR Comments are better for security findings:
- Immediate visibility - Developers see the alert without extra navigation
- Actionable - The comment includes remediation steps right there
- Email notification - PR comment triggers email, ensuring developer sees it
- Historical record - Comment stays in PR history for auditing
- Team visibility - Reviewers also see the security issue immediately
- Mobile-friendly - Easy to check on phone
| uses: actions/github-script@v7 | ||
| with: | ||
| script: | | ||
| const commentMarker = '<!-- TRUFFLEHOG-SCAN-COMMENT -->'; |
There was a problem hiding this comment.
If we're planning to add comment then we need to add the following to commit so the user know if the scan ran on the latest changes/commit.
- Commit ID/SHA.
- Workflow Link/Number to get to the correct logs.
| 4. **Push the fix** to this branch | ||
| ### Finding Details | ||
| Check the [workflow run logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for: |
There was a problem hiding this comment.
Looks like workflow link is already added, please ignore my previous comment and just add the commit ID to the comment.
🚨 Secret Scanning AlertTruffleHog detected potential secrets in this pull request. What to do:
Finding DetailsCheck the workflow run logs for:
Workflow LogsThis scan only checks files modified in this PR. Secrets are classified as verified (confirmed active) or unverified (potential match). |
Adds a workflow step to update the PR comment when previously detected secrets are resolved, marking the PR as clear. Updates documentation to clarify that exclusion patterns are additive, describes the new comment update behavior, and improves the remediation and PR comment sections for clarity.
Summary
Introduces a centralized TruffleHog secret scanning workflow that automatically scans all pull requests for exposed secrets (API keys, passwords, tokens, etc.) across the organization.
This implementation:
Features
How It Works
Configuration
TRUFFLEHOG_EXCLUDESvariable at org or repo level for custom exclusionsTested here:
https://github.com/marklogic/copyrighttest/pull/79
https://github.com/marklogic/copyrighttest/pull/78
https://github.com/marklogic/copyrighttest/pull/77