chore: bootstrap .trufflehog.yml secrets scanning #39
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| # TruffleHog secrets scanning configuration | ||
| # Phenotype org standard | ||
| version: 2 | ||
|
|
||
| exclude: | ||
| paths: | ||
| - ".git/**" | ||
| - "target/**" | ||
| - "node_modules/**" | ||
| - "*.sum" | ||
| - "*.lock" | ||
| - ".venv/**" | ||
| - "__pycache__/**" | ||
| - ".next/**" | ||
|
|
||
| include: | ||
| files: | ||
| - "*" | ||
|
|
||
| rules: | ||
| - base64: | ||
| enabled: true | ||
| entropy: 0.7 | ||
| - detected: | ||
| enabled: true | ||
|
Comment on lines
+16
to
+25
There was a problem hiding this comment. π Architect Review β HIGH The repository adds a Suggestion: Update the CI workflow to invoke TruffleHog in a way that consumes Fix in Cursor | Fix in VSCode Claude (Use Cmd/Ctrl + Click for best experience) Prompt for AI Agent π€This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings β not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .trufflehog.yml
**Line:** 16:25
**Comment:**
*HIGH: The repository adds a `.trufflehog.yml` v2 config (include/exclude and rules), but the CI workflow runs `trufflehog github --only-verified --no-update` without passing any config flag, so the new config is not actually applied to CI scans and scan behavior remains unchanged despite the stated intent.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix β do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix |
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Config file uses fabricated schema, entirely non-functional
High Severity
This
.trufflehog.ymluses a config schema (version,exclude.paths,include.files,rules.base64.entropy,rules.detected) that doesn't match any version of TruffleHog β not the official Go version (trufflesecurity/trufflehog, which expectssources/detectors/notifiers), not TruffleHog v2 (CLI flags + JSON rules), and not trufflehog3 (.trufflehog3.ymlwithseverity/no_entropy/no_pattern). Additionally, the CI workflow in.github/workflows/trufflehog.ymlrunstrufflehog githubwithout a--configflag, and the official Go TruffleHog doesn't auto-detect.trufflehog.yml, so this file is entirely inert. The intended exclude paths and rules have no effect on secrets scanning.Reviewed by Cursor Bugbot for commit 94869fc. Configure here.