From d4b7e8c5c7b90baf01131e094ccb95e18d107fa0 Mon Sep 17 00:00:00 2001 From: Timur Olzhabayev Date: Thu, 21 May 2026 17:35:36 +0200 Subject: [PATCH 1/2] fix(trufflehog): exclude legacy Gitlab detector to silence yarn 4 false positives MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The TruffleHog v1 Gitlab detector (DetectorType=9) matches any 20-char alphanumeric token near the keyword "gitlab". This triggers on every Grafana repo that vendors a Yarn 4 release binary via corepack: the minified `.yarn/releases/yarn-*.cjs` bundle contains yarn config keys like `npmPublishProvenance` (exactly 20 alphanumeric chars) co-located with internal mentions of GitLab Package Registry URLs, which trips the detector on every CI run. Evidence: grafana/levitate-grafana-ci#109 — the Yarn 4.15.0 bundle fires `DetectorName=Gitlab`, `Raw=npmPublishProvenance` at line 711. Every repo upgrading to Yarn 4 will produce the same noise comment until contributors learn to ignore it. Tradeoff: this disables Gitlab personal-access-token detection entirely (the legacy detector is the only Gitlab detector — v2/v3 are internal regex revisions of the same protobuf enum, not separate detector types). Real GitLab credentials in this org are already covered by: - GitHub native secret scanning (push protection on for grafana/*) - GitHub Advanced Security (push protection + push to repos) - Pre-commit `pre-commit/trufflehog.sh` for local dev (same flag can be added there in a follow-up if desired) The false-positive rate of v1 Gitlab is high enough that the signal it provides is already drowned out — see trufflesecurity/trufflehog issue tracker for the long history of "GitLab detector triggers on random alphanumeric" reports. --- .github/workflows/reusable-trufflehog.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/reusable-trufflehog.yml b/.github/workflows/reusable-trufflehog.yml index 1fd37f23..ddc8a314 100644 --- a/.github/workflows/reusable-trufflehog.yml +++ b/.github/workflows/reusable-trufflehog.yml @@ -169,6 +169,7 @@ jobs: trufflehog filesystem . \ --include-paths "${INCLUDE_REGEXES}" \ --exclude-paths /tmp/trufflehog-exclude.txt \ + --exclude-detectors Gitlab \ --concurrency 16 \ --json \ --no-update \ @@ -181,7 +182,7 @@ jobs: fi else echo "Scanning current filesystem..." - trufflehog filesystem . --exclude-paths /tmp/trufflehog-exclude.txt --concurrency 16 --json --no-update --results=verified,unverified > results.ndjson || true + trufflehog filesystem . --exclude-paths /tmp/trufflehog-exclude.txt --exclude-detectors Gitlab --concurrency 16 --json --no-update --results=verified,unverified > results.ndjson || true fi # Process results and filter git hashes from CHANGELOG files From e44bcab129c9fb25ac333c3d4a8dc0709fcd4c76 Mon Sep 17 00:00:00 2001 From: Timur Olzhabayev Date: Fri, 22 May 2026 11:09:48 +0200 Subject: [PATCH 2/2] fix(trufflehog): exclude .yarn/releases/ via org-wide path list MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pivot from per-detector exclude to path-based exclusion, per review feedback on #162. The previous commit disabled the entire Gitlab detector org-wide; the org pattern (per security-docs trufflehog.md "Org-wide exclusions") is to add path patterns to `trufflehog/exclude-paths.txt` instead, keeping detection coverage intact. `.yarn/releases/` is the corepack-vendored Yarn 4 binary directory — the minified `.cjs` bundle contains config keys like `npmPublishProvenance` near internal GitLab mentions, which trips the Gitlab detector on every PR that touches it. Revert the `--exclude-detectors Gitlab` flag from both `trufflehog filesystem` invocations and add `\.yarn/releases/` to the shared `trufflehog/exclude-paths.txt` so all org repos pick it up at scan time. --- .github/workflows/reusable-trufflehog.yml | 3 +-- trufflehog/exclude-paths.txt | 4 ++++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/reusable-trufflehog.yml b/.github/workflows/reusable-trufflehog.yml index ddc8a314..1fd37f23 100644 --- a/.github/workflows/reusable-trufflehog.yml +++ b/.github/workflows/reusable-trufflehog.yml @@ -169,7 +169,6 @@ jobs: trufflehog filesystem . \ --include-paths "${INCLUDE_REGEXES}" \ --exclude-paths /tmp/trufflehog-exclude.txt \ - --exclude-detectors Gitlab \ --concurrency 16 \ --json \ --no-update \ @@ -182,7 +181,7 @@ jobs: fi else echo "Scanning current filesystem..." - trufflehog filesystem . --exclude-paths /tmp/trufflehog-exclude.txt --exclude-detectors Gitlab --concurrency 16 --json --no-update --results=verified,unverified > results.ndjson || true + trufflehog filesystem . --exclude-paths /tmp/trufflehog-exclude.txt --concurrency 16 --json --no-update --results=verified,unverified > results.ndjson || true fi # Process results and filter git hashes from CHANGELOG files diff --git a/trufflehog/exclude-paths.txt b/trufflehog/exclude-paths.txt index ca188f8e..0d935cb4 100644 --- a/trufflehog/exclude-paths.txt +++ b/trufflehog/exclude-paths.txt @@ -29,3 +29,7 @@ grafana\.json$ # Grafana dashboards (user-supplied site content, full of base64/hashes) content/grafana/dashboards + +# Yarn 4 release bundle (corepack-vendored, minified — fires false positives +# on `npmPublishProvenance` near internal mentions of GitLab; not user code) +\.yarn/releases/