PDP-684 Add TruffleHog secret scanning workflow for PR validation #16
Conversation
Introduces a centralized GitHub Actions workflow for scanning pull requests for secrets using TruffleHog. Includes a detailed README with setup instructions, exclusion pattern configuration, override options, and troubleshooting guidance.
The workflow now posts PR comments with secret scan findings, sets commit status to pass/fail, and provides clearer merge blocking. Documentation was updated and renamed to trufflehog_readme.md to reflect new features, including secret classification and improved fork PR support.
There was a problem hiding this comment.
Pull request overview
This PR introduces a centralized TruffleHog secret scanning workflow that automatically validates pull requests across the organization by detecting exposed secrets such as API keys, passwords, and tokens. The workflow runs on all PRs, posts detailed findings as comments when secrets are detected, and sets commit statuses to block merges when necessary.
Key Changes:
- Implements GitHub Actions workflow with dual triggers (
pull_requestandpull_request_target) to handle both same-repo and fork PRs - Configurable exclusion patterns via
TRUFFLEHOG_EXCLUDESvariable with org-level defaults and repo-level overrides - Automated PR commenting with remediation steps and commit status updates based on scan results
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
trufflehog_readme.md |
Comprehensive documentation covering setup, configuration, exclusion patterns, workflow triggers, and troubleshooting |
.github/workflows/trufflehog-scan.yml |
GitHub Actions workflow implementing secret scanning with TruffleHog, exclusion handling, result processing, and PR status updates |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
GAdityaVarma
requested review from
Pragathi-28 and
brijeshp56
and removed request for
Copilot
Co-authored-by: Copilot <[email protected]>
| echo "description=No secrets detected in PR changes" >> $GITHUB_OUTPUT | ||
| fi | ||
|
|
||
| - name: Post PR comment on findings |
There was a problem hiding this comment.
Do we really need a comment? Can't we just rely on annotations?
There was a problem hiding this comment.
Why PR Comments are better for security findings:
- Immediate visibility - Developers see the alert without extra navigation
- Actionable - The comment includes remediation steps right there
- Email notification - PR comment triggers email, ensuring developer sees it
- Historical record - Comment stays in PR history for auditing
- Team visibility - Reviewers also see the security issue immediately
- Mobile-friendly - Easy to check on phone
| 4. **Push the fix** to this branch | ||
|
|
||
| ### Finding Details | ||
| Check the [workflow run logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for: |
There was a problem hiding this comment.
Looks like workflow link is already added, please ignore my previous comment and just add the commit ID to the comment.
There was a problem hiding this comment.
updated the workflow logic to update comments in PR to have commit ID also,
Tested: https://github.com/marklogic/copyrighttest/pull/82
The PR comment now includes the scanned commit SHA with a direct link to the commit.
Example in the comment:
Scanned commit: c0f65d6 (c0f65d61be8cc0c304f25d743b3f1c6536206358)
This lets users verify the scan ran on their latest changes. The comment is also updated on each new push, so the SHA always reflects the most recent scan.
Adds a workflow step to update the PR comment when previously detected secrets are resolved, marking the PR as clear. Updates documentation to clarify that exclusion patterns are additive, describes the new comment update behavior, and improves the remediation and PR comment sections for clarity.
Enhances the TruffleHog GitHub Actions workflow to better distinguish between scan errors and actual secret findings, adding a verification step for failed scans. Updates documentation to clarify exclusion pattern behavior, workflow triggers, and runtime logic for more accurate and secure secret scanning.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if (!hasSecrets) { | ||
| // No secrets found | ||
| if (existing) { | ||
| // Check if existing comment was a critical/blocking one (had verified secrets) |
There was a problem hiding this comment.
Can we update the PR comment in case developer removes unverified secrets in subsequent commit?
Summary
Introduces a centralized TruffleHog secret scanning workflow that automatically scans all pull requests for exposed secrets (API keys, passwords, tokens, etc.) across the organization.
This implementation:
Features
How It Works
Configuration
TRUFFLEHOG_EXCLUDESvariable at org or repo level for custom exclusionsTested here:
https://github.com/marklogic/copyrighttest/pull/79
https://github.com/marklogic/copyrighttest/pull/78
https://github.com/marklogic/copyrighttest/pull/77