chore: trufflehog secrets scan + action SHA pins#43
Conversation
* chore: pin actions to immutable SHA * ci: expand pytest to full test suite + ruff lint gate - Replace single-file smoke test run with full `pytest tests/ -q --tb=short` - Add `ruff check .` and `ruff format --check .` gates - Consolidate pip install into one step for ruff + pytest Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * chore: pin all GitHub Actions to commit SHAs Pins all GitHub Actions to immutable commit SHAs. --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 0/1 reviews remaining, refill in 5 minutes and 37 seconds.Comment |
|
codeant-ai
Bot
added
the
size:XS
|
CodeAnt AI finished reviewing your PR. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.
Reviewed by Cursor Bugbot for commit b146451. Configure here.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 |
There was a problem hiding this comment.
Trufflehog action not pinned to SHA
Medium Severity
The trufflehog/actions/setup@main action in this newly added workflow is referenced by a mutable branch (@main) instead of a pinned SHA commit hash. This contradicts the PR's stated goal of pinning all actions to SHA for supply chain security. A compromised main branch of that action repository could execute arbitrary code in CI.
Reviewed by Cursor Bugbot for commit b146451. Configure here.
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 |
There was a problem hiding this comment.
CodeQL actions left unpinned despite PR goal
Medium Severity
The PR pins actions/checkout to a SHA in this file but leaves three github/codeql-action/*@v4 references unpinned in the same workflow. Since the PR's stated goal is to pin all actions to SHA, these were likely overlooked. The mutable @v4 tag carries the same supply chain risk the PR aims to eliminate.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit b146451. Configure here.
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 |
There was a problem hiding this comment.
Inconsistent checkout SHA differs from rest of repo
Low Severity
This PR pins actions/checkout to SHA 11bd71901bbe5b1630ceea73d27597364c9af683 (v4.2.2), but every other workflow in the repo consistently uses 34e114876b0b11c390a56381ad16ebd13914f8d5 (with a # v4 comment). Using a different, older SHA creates an inconsistency that complicates future bulk updates and may cause subtle behavioral differences between workflows.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit b146451. Configure here.
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:XS
Sequence DiagramThis diagram shows how the trufflehog and CodeQL GitHub Actions workflows now use a pinned checkout commit before running their respective security scans, improving CI stability and supply-chain safety. sequenceDiagram
participant GitHub
participant TrufflehogWorkflow
participant CodeQLWorkflow
participant CheckoutAction
GitHub->>TrufflehogWorkflow: Trigger trufflehog job
TrufflehogWorkflow->>CheckoutAction: Checkout repo with pinned commit
TrufflehogWorkflow->>TrufflehogWorkflow: Run trufflehog scan
GitHub->>CodeQLWorkflow: Trigger CodeQL job
CodeQLWorkflow->>CheckoutAction: Checkout repo with pinned commit
CodeQLWorkflow->>CodeQLWorkflow: Run CodeQL analysis
Generated by CodeAnt AI |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:XS
Sequence DiagramThis PR ensures the trufflehog secret scan and CodeQL analysis workflows both use a pinned checkout action, stabilizing repository access for CI security scans. sequenceDiagram
participant Developer
participant GitHubActions as GitHub Actions
participant Repo
participant Trufflehog
participant CodeQL
Developer->>GitHubActions: Push or open pull request
GitHubActions->>Repo: Checkout code with pinned action
GitHubActions->>Trufflehog: Run secret scan workflow
Trufflehog-->>GitHubActions: Secret scan results
GitHubActions->>CodeQL: Run code analysis workflow
CodeQL-->>GitHubActions: CodeQL security report
Generated by CodeAnt AI |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:XS
Sequence DiagramThis PR updates the Trufflehog and CodeQL GitHub Actions workflows so that repository checkout uses a fixed action version before running security scans. sequenceDiagram
participant Developer
participant Actions
participant Checkout
participant Trufflehog
participant CodeQL
Developer->>Actions: Push or open pull request
Actions->>Checkout: Checkout repository with pinned action version
Checkout-->>Actions: Source code available
Actions->>Trufflehog: Run secret scanning workflow
Actions->>CodeQL: Run code analysis workflow
Generated by CodeAnt AI |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:XS
Sequence DiagramThis PR updates the CodeQL and Trufflehog GitHub Actions workflows so they both use a pinned checkout action version before running their respective security scans. sequenceDiagram
participant Dev
participant CI
participant CodeQL
participant Trufflehog
Dev->>CI: Push changes or open pull request
CI->>CodeQL: Trigger CodeQL security workflow
CodeQL->>CodeQL: Checkout repository with pinned checkout action
CodeQL->>CodeQL: Run CodeQL analysis
CI->>Trufflehog: Trigger Trufflehog secrets workflow
Trufflehog->>Trufflehog: Checkout repository with pinned checkout action
Trufflehog->>Trufflehog: Scan repository for secrets
Generated by CodeAnt AI |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:XS
Sequence DiagramThis PR hardens the CodeQL and Trufflehog CI workflows by pinning the repository checkout step to a specific actions/checkout commit, ensuring consistent and trustworthy security scans on each run. sequenceDiagram
participant Developer
participant CI
participant CodeQL
participant Trufflehog
Developer->>CI: Push code or open pull request
CI->>CI: Start CodeQL workflow
CI->>CI: Checkout repository with pinned checkout commit
CI->>CodeQL: Run code analysis
CI->>CI: Start Trufflehog workflow
CI->>CI: Checkout repository with pinned checkout commit
CI->>Trufflehog: Run secrets scan
Generated by CodeAnt AI |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:XS
Sequence DiagramThis PR updates the CodeQL and Trufflehog GitHub Actions workflows so they check out the repository using a pinned checkout action commit, improving supply-chain safety and consistency of security scans. sequenceDiagram
participant Developer
participant GitHub
participant CodeQLWorkflow as CodeQL workflow
participant TrufflehogWorkflow as Trufflehog workflow
Developer->>GitHub: Push or pull request
GitHub->>CodeQLWorkflow: Trigger CodeQL analysis job
CodeQLWorkflow->>CodeQLWorkflow: Checkout repo with pinned checkout action
CodeQLWorkflow->>CodeQLWorkflow: Initialize and run CodeQL scan
GitHub->>TrufflehogWorkflow: Trigger Trufflehog scan job
TrufflehogWorkflow->>TrufflehogWorkflow: Checkout repo with pinned checkout action
TrufflehogWorkflow->>TrufflehogWorkflow: Setup and run Trufflehog secret scan
Generated by CodeAnt AI |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:XS
Sequence DiagramThis PR updates the trufflehog and CodeQL workflows so that both security scans check out the code using a pinned checkout action commit, reducing supply-chain risk while keeping the scan flows the same. sequenceDiagram
participant Developer
participant GitHubCI
participant PinnedCheckout
participant TrufflehogScan
participant CodeQLScan
Developer->>GitHubCI: Push or open pull request
GitHubCI->>PinnedCheckout: Checkout repo for trufflehog with pinned action
PinnedCheckout-->>GitHubCI: Repository workspace
GitHubCI->>TrufflehogScan: Run secrets scan
TrufflehogScan-->>GitHubCI: Secrets scan results
GitHubCI->>PinnedCheckout: Checkout repo for CodeQL with pinned action
PinnedCheckout-->>GitHubCI: Repository workspace
GitHubCI->>CodeQLScan: Run code analysis
CodeQLScan-->>GitHubCI: Security analysis report
Generated by CodeAnt AI |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
1 participant
User description
Chore: adds Trufflehog workflow, pins all actions to SHA.
Note
Low Risk
Workflow-only change that pins
actions/checkoutto a specific commit for supply-chain hardening; low risk aside from potential CI breakage if the pinned SHA is incompatible.Overview
Pins
actions/checkoutto commit11bd719...in thecodeql.ymlandtrufflehog.ymlGitHub Actions workflows, replacing the floating@v4reference to improve supply-chain integrity.Reviewed by Cursor Bugbot for commit b146451. Bugbot is set up for automated code reviews on this repo. Configure here.
CodeAnt-AI Description
Pin repository checkout in security scan workflows
What Changed
Impact
✅ Lower supply-chain risk in CI✅ More consistent security scans✅ Fewer unexpected CI failures from upstream updates🔄 Retrigger CodeAnt AI Review
Details
💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.