From af5261430cef00df21258767a143940148b25e6e Mon Sep 17 00:00:00 2001
From: Isaiah Grigsby <isaiah.grigsby@grafana.com>
Date: Tue, 26 May 2026 15:26:16 -0500
Subject: [PATCH 1/4] fix(trufflehog): do not upload raw secrets in workflow
 artifacts

Strip Raw/RawV2/Redacted and unsafe ExtraData before upload. Bench and
artifacts use results-sanitized.json only. Addresses public-repo artifact
download exposing trufflehog findings with secret material.
---
 .github/workflows/reusable-trufflehog.yml | 32 +++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/reusable-trufflehog.yml b/.github/workflows/reusable-trufflehog.yml
index 1fd37f23..4f225eac 100644
--- a/.github/workflows/reusable-trufflehog.yml
+++ b/.github/workflows/reusable-trufflehog.yml
@@ -350,6 +350,34 @@ jobs:
             fi
           } > trufflehog_scan.txt
 
+      - name: Sanitize results for artifacts and bench
+        if: always()
+        run: |
+          if [[ -f results.json && -s results.json ]] && jq empty results.json 2>/dev/null; then
+            jq '[.[] | {
+              SourceMetadata,
+              SourceID,
+              SourceType,
+              SourceName,
+              DetectorType,
+              DetectorName,
+              DetectorDescription,
+              DecoderName,
+              Verified,
+              VerificationFromCache,
+              ExtraData: (
+                if (.ExtraData | type) == "object" then
+                  .ExtraData | with_entries(select(.key == "username" or .key == "name" or .key == "url"))
+                else
+                  {}
+                end
+              )
+            }]' results.json > results-sanitized.json
+          else
+            echo "[]" > results-sanitized.json
+          fi
+          rm -f results.json results.ndjson
+
       - name: Copy exclude file into workspace for artifact upload
         if: always()
         run: cp /tmp/trufflehog-exclude.txt trufflehog-exclude.txt 2>/dev/null || true
@@ -361,7 +389,7 @@ jobs:
           name: trufflehog_scan
           path: |
             trufflehog_scan.txt
-            results.json
+            results-sanitized.json
             trufflehog-exclude.txt
           if-no-files-found: warn
           retention-days: 2
@@ -445,4 +473,4 @@ jobs:
             --log-level debug \
             --prometheus-metrics \
             ${EXCLUDE_FLAG} \
-            /tests/results.json
+            /tests/results-sanitized.json

From 8dbcf66c659f797830d6de27e0fa374b96e52869 Mon Sep 17 00:00:00 2001
From: Isaiah Grigsby <isaiah.grigsby@grafana.com>
Date: Thu, 28 May 2026 10:53:13 -0500
Subject: [PATCH 2/4] Update TruffleHog workflow to use fixed branch

---
 .github/workflows/org-required-trufflehog.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/org-required-trufflehog.yml b/.github/workflows/org-required-trufflehog.yml
index 5d35841f..98583f22 100644
--- a/.github/workflows/org-required-trufflehog.yml
+++ b/.github/workflows/org-required-trufflehog.yml
@@ -21,7 +21,7 @@ permissions:
 jobs:
   secret-scan:
     name: TruffleHog Secret Scan
-    uses: grafana/security-github-actions/.github/workflows/reusable-trufflehog.yml@main
+    uses: grafana/security-github-actions/.github/workflows/reusable-trufflehog.yml@fix/trufflehog-artifcat-no-secrets
     with:
       # Non-blocking: job succeeds; PR still gets comments/artifacts when findings exist
       fail-on-verified: "false"      # Set "true" to fail on verified secrets

From 67c9a705cf56740363d0aad775424803a6e1e14b Mon Sep 17 00:00:00 2001
From: Isaiah Grigsby <isaiah.grigsby@grafana.com>
Date: Tue, 26 May 2026 16:41:17 -0500
Subject: [PATCH 3/4] fix: correct reusable-trufflehog branch ref typo in
 org-required workflow

The ruleset test path referenced fix/trufflehog-artifcat-no-secrets, which
does not exist; use fix/trufflehog-artifact-no-secrets so required checks start.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .github/workflows/org-required-trufflehog.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/org-required-trufflehog.yml b/.github/workflows/org-required-trufflehog.yml
index 98583f22..a2f08b1b 100644
--- a/.github/workflows/org-required-trufflehog.yml
+++ b/.github/workflows/org-required-trufflehog.yml
@@ -21,7 +21,7 @@ permissions:
 jobs:
   secret-scan:
     name: TruffleHog Secret Scan
-    uses: grafana/security-github-actions/.github/workflows/reusable-trufflehog.yml@fix/trufflehog-artifcat-no-secrets
+    uses: grafana/security-github-actions/.github/workflows/reusable-trufflehog.yml@fix/trufflehog-artifact-no-secrets
     with:
       # Non-blocking: job succeeds; PR still gets comments/artifacts when findings exist
       fail-on-verified: "false"      # Set "true" to fail on verified secrets

From 39d63bb14dc25810cba28d60337491ff9189fd28 Mon Sep 17 00:00:00 2001
From: Isaiah Grigsby <isaiah.grigsby@grafana.com>
Date: Tue, 26 May 2026 16:41:17 -0500
Subject: [PATCH 4/4] chore: point org-required-trufflehog back at main for
 merge

The feature-branch ref was only for ruleset testing; org-required should
call reusable-trufflehog @main once sanitize lands on main.
---
 .github/workflows/org-required-trufflehog.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/org-required-trufflehog.yml b/.github/workflows/org-required-trufflehog.yml
index a2f08b1b..5d35841f 100644
--- a/.github/workflows/org-required-trufflehog.yml
+++ b/.github/workflows/org-required-trufflehog.yml
@@ -21,7 +21,7 @@ permissions:
 jobs:
   secret-scan:
     name: TruffleHog Secret Scan
-    uses: grafana/security-github-actions/.github/workflows/reusable-trufflehog.yml@fix/trufflehog-artifact-no-secrets
+    uses: grafana/security-github-actions/.github/workflows/reusable-trufflehog.yml@main
     with:
       # Non-blocking: job succeeds; PR still gets comments/artifacts when findings exist
       fail-on-verified: "false"      # Set "true" to fail on verified secrets