From 5af7378a03945aadf9e476179b9b0bf1e3938188 Mon Sep 17 00:00:00 2001 From: Clayton Collie Date: Wed, 30 Jul 2025 10:33:48 +0200 Subject: [PATCH 1/2] Scan for secrets with truffelhog --- .github/workflows/secrets.yml | 36 +++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/secrets.yml diff --git a/.github/workflows/secrets.yml b/.github/workflows/secrets.yml new file mode 100644 index 00000000..e8d60ac8 --- /dev/null +++ b/.github/workflows/secrets.yml @@ -0,0 +1,36 @@ +name: Secrets + +on: + pull_request: + +jobs: + trufflehog: + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Trufflehog exclusions + run: | + if [ ! -f .trufflehog-exclude.txt ]; then + echo "# Paths to exclude from TruffleHog scanning" > .trufflehog-exclude.txt + echo "node_modules/" >> .trufflehog-exclude.txt + echo "vendor/" >> .trufflehog-exclude.txt + echo "dist/" >> .trufflehog-exclude.txt + echo "build/" >> .trufflehog-exclude.txt + fi + + - name: Run Trufflehog on latest commits + id: trufflehog + uses: trufflesecurity/trufflehog@main + continue-on-error: true + with: + path: ./ + extra_args: --results=verified,unknown --exclude-paths .trufflehog-exclude.txt + + - name: Trufflehog Scan Failure + if: steps.trufflehog.outcome == 'failure' + run: exit 1 \ No newline at end of file From 4a8cef22e8c742532f8e5cc3a88c1b94b487ff08 Mon Sep 17 00:00:00 2001 From: Clayton Collie Date: Wed, 30 Jul 2025 10:36:28 +0200 Subject: [PATCH 2/2] Added permissions to read --- .github/workflows/secrets.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/secrets.yml b/.github/workflows/secrets.yml index e8d60ac8..1a7a8a42 100644 --- a/.github/workflows/secrets.yml +++ b/.github/workflows/secrets.yml @@ -3,6 +3,9 @@ name: Secrets on: pull_request: +permissions: + contents: read + jobs: trufflehog: runs-on: ubuntu-latest