fix(trufflehog): exclude .yarn/releases/ to silence yarn 4 false positives

[tolzhabayev]

Summary

Add \.yarn/releases/ to the shared trufflehog/exclude-paths.txt so all org repos stop scanning the corepack-vendored Yarn 4 binary.

Note: This PR was pivoted following review feedback. The earlier commit disabled the Gitlab detector org-wide via --exclude-detectors Gitlab; this revision keeps the detector intact and uses the documented org-wide path-exclusion mechanism instead. The earlier commit is still in this PR's history (d4b7e8c) — see commit e44bcab for the pivot.

Why this matters

Every Grafana repo bumping to Yarn 4 produces a TruffleHog PR comment like:

**Possible secret** (Gitlab) at `.yarn/releases/yarn-4.15.0.cjs:711` → `npmP***ance`

Concrete evidence from grafana/levitate-grafana-ci#109:

{
  "DetectorName": "Gitlab",
  "DetectorType": 9,
  "Verified": false,
  "Raw": "npmPublishProvenance",
  "file": ".yarn/releases/yarn-4.15.0.cjs",
  "line": 711
}

The Yarn 4 release bundle is a minified .cjs blob that contains yarn config keys like npmPublishProvenance (20 alphanumeric chars) co-located with internal mentions of GitLab Package Registry URLs — exactly the shape that TruffleHog's Gitlab detector flags. .yarn/releases/ is yarn-managed corepack output, not user code; scanning it for secrets has no value.

Approach

Per the org-wide exclusions section of security-docs, the fix is a one-line addition to trufflehog/exclude-paths.txt:

\.yarn/releases/

The workflow already fetches this file at runtime and passes it to trufflehog --exclude-paths, so the change rolls out to every org repo on the next scan with no per-repo work.

The Gitlab detector stays enabled — real glpat-* PATs and other Gitlab credentials anywhere else in a repo are still detected.

Scope decision

Kept the pattern narrow (\.yarn/releases/) rather than excluding all of .yarn/, since that's the only subdirectory with evidenced false positives. If .yarn/plugins/ or other subdirectories trigger noise later, adding them is a one-line follow-up to this file.

Reverted from the previous approach

• Removed --exclude-detectors Gitlab from both trufflehog filesystem invocations in reusable-trufflehog.yml.

Test plan

• Workflow self-scan passes on this PR.
• After merge, confirm a sample repo with .yarn/releases/yarn-*.cjs no longer produces a TruffleHog PR comment for that file.
• Confirm a deliberately committed glpat- test token elsewhere in the same repo still gets flagged (detector remains active).

[isaiah-grafana]

Thanks for chasing this down.. the Yarn 4 thing in .yarn/releases/ is annoying and I’ve seen the same GitLab FP pop up elsewhere.

I’m not sure we want to disable the GitLab detector org-wide though. For org-wide TruffleHog noise we usually handle it with path excludes, not turning off detectors:

Have you seen this?
https://github.com/grafana/security-docs/blob/main/docs/appsec/security-tools/trufflehog.md#org-wide-exclusions

[tolzhabayev]

Pivoted — yes, I'd seen the doc but the path-based approach didn't click as the right primary fix until your review. Agree disabling the detector org-wide was the wrong lever.

e44bcab reverts the --exclude-detectors Gitlab flag from both trufflehog filesystem invocations and adds \.yarn/releases/ to trufflehog/exclude-paths.txt. The Gitlab detector stays on; the yarn release bundle just stops getting scanned. PR title and description are updated to reflect the new approach.

Kept the pattern narrow (\.yarn/releases/ only) rather than the whole .yarn/ tree since that's the only subdirectory with evidenced false positives — happy to widen if you'd prefer the broader scope up-front.