chore: bootstrap .trufflehog.yml secrets scanning#39
Conversation
Adds Phenotype org standard TruffleHog v2 configuration for secrets detection. Repo is Go (not Rust), so deny.toml not applicable. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
Caution Review failedPull request was closed or merged during review 📝 WalkthroughSummaryThis PR adds Status: ✅ Approve The PR should merge as-is. It introduces no blocking issues and properly bootstraps secrets scanning governance. Must FixNone. YAML syntax is valid, and the configuration is sound. Should FixNone blocking, but consider:
ConsiderOptional enhancements (not required for merge):
Technical Validation
WalkthroughA ChangesTruffleHog Configuration
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 0/1 reviews remaining, refill in 60 minutes.Comment |
|
codeant-ai
Bot
added
the
size:S
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.
Reviewed by Cursor Bugbot for commit 94869fc. Configure here.
| enabled: true | ||
| entropy: 0.7 | ||
| - detected: | ||
| enabled: true |
There was a problem hiding this comment.
Config file uses fabricated schema, entirely non-functional
High Severity
This .trufflehog.yml uses a config schema (version, exclude.paths, include.files, rules.base64.entropy, rules.detected) that doesn't match any version of TruffleHog — not the official Go version (trufflesecurity/trufflehog, which expects sources/detectors/notifiers), not TruffleHog v2 (CLI flags + JSON rules), and not trufflehog3 (.trufflehog3.yml with severity/no_entropy/no_pattern). Additionally, the CI workflow in .github/workflows/trufflehog.yml runs trufflehog github without a --config flag, and the official Go TruffleHog doesn't auto-detect .trufflehog.yml, so this file is entirely inert. The intended exclude paths and rules have no effect on secrets scanning.
Reviewed by Cursor Bugbot for commit 94869fc. Configure here.
![codeant-ai[bot]](https://avatars.githubusercontent.com/in/646884?s=60&v=4){kind=small}
| include: | ||
| files: | ||
| - "*" | ||
|
|
||
| rules: | ||
| - base64: | ||
| enabled: true | ||
| entropy: 0.7 | ||
| - detected: | ||
| enabled: true |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
The repository adds a .trufflehog.yml v2 config (include/exclude and rules), but the CI workflow runs trufflehog github --only-verified --no-update without passing any config flag, so the new config is not actually applied to CI scans and scan behavior remains unchanged despite the stated intent.
Suggestion: Update the CI workflow to invoke TruffleHog in a way that consumes .trufflehog.yml (for example by adding an explicit --config .trufflehog.yml or using the appropriate subcommand), or clearly document that this file is only for local/manual scans so CI expectations match the org-standard policy.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .trufflehog.yml
**Line:** 16:25
**Comment:**
*HIGH: The repository adds a `.trufflehog.yml` v2 config (include/exclude and rules), but the CI workflow runs `trufflehog github --only-verified --no-update` without passing any config flag, so the new config is not actually applied to CI scans and scan behavior remains unchanged despite the stated intent.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished reviewing your PR. |
1 participant
User description
Summary
.trufflehog.yml(TruffleHog v2) for secrets scanningTest plan
.trufflehog.ymlis valid YAML🤖 Generated with Claude Code
Note
Low Risk
Adds only a repository-level TruffleHog configuration file; no runtime or business logic changes. Risk is limited to potential CI/noise from scans due to include/exclude and rule thresholds.
Overview
Adds a new
.trufflehog.ymlusing the Phenotype org standard to enable TruffleHog v2 secrets scanning.Configures path exclusions (e.g.,
node_modules, build outputs, virtualenvs) and enablesbase64(withentropy: 0.7) anddetectedrules over all files.Reviewed by Cursor Bugbot for commit 94869fc. Bugbot is set up for automated code reviews on this repo. Configure here.
CodeAnt-AI Description
Add repository secrets scanning for checked-in credentials
What Changed
Impact
✅ Earlier detection of leaked secrets✅ Fewer false alerts from generated files✅ Cleaner repository security checks🔄 Retrigger CodeAnt AI Review
Details
💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.