Skip to content

build(deps): bump trufflesecurity/trufflehog from 3.95.6 to 3.95.7#35

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/trufflesecurity/trufflehog-3.95.7
Closed

build(deps): bump trufflesecurity/trufflehog from 3.95.6 to 3.95.7#35
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/trufflesecurity/trufflehog-3.95.7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps trufflesecurity/trufflehog from 3.95.6 to 3.95.7.

Release notes

Sourced from trufflesecurity/trufflehog's releases.

v3.95.7

What's Changed

New Contributors

Full Changelog: trufflesecurity/trufflehog@v3.95.6...v3.95.7

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog) from 3.95.6 to 3.95.7.
- [Release notes](https://github.com/trufflesecurity/trufflehog/releases)
- [Commits](trufflesecurity/trufflehog@v3.95.6...v3.95.7)

---
updated-dependencies:
- dependency-name: trufflesecurity/trufflehog
  dependency-version: 3.95.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 1, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 1, 2026 06:46
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 1, 2026
@github-actions github-actions Bot added the build label Jul 1, 2026
@clawsweeper

clawsweeper Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codex review: needs maintainer review before merge. Reviewed July 7, 2026, 1:31 PM ET / 17:31 UTC.

Summary
The PR updates .github/workflows/secret-scan.yml to use trufflesecurity/trufflehog@v3.95.7 instead of v3.95.6.

Reproducibility: not applicable. This is a dependency update PR, and the review checked the workflow diff, current main, and PR check rollup rather than reproducing a product bug.

Review metrics: 2 noteworthy metrics.

  • Workflow ref changed: 1 action ref updated. The entire code surface is the TruffleHog action version in the secret-scan workflow.
  • Check rollup: 10 successful, 1 skipped. CI, CodeQL, and secret-scan completed without failures on the PR head.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🌊 off-meta tidepool
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

  • [P1] The only residual risk is ordinary trust in the upstream TruffleHog patch release; the workflow permissions remain read-only and the PR check rollup is green.

Maintainer options:

  1. Decide the mitigation before merge
    Merge the clean Dependabot patch if maintainers are comfortable taking TruffleHog v3.95.7; otherwise let Dependabot recreate or advance the GitHub Actions bump.
  2. Pause or close
    Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

  • [P2] No repair lane is needed because there are no review findings; this can proceed through ordinary maintainer review and merge checks.

Security
Cleared: The diff only advances an existing TruffleHog GitHub Action ref under unchanged read-only workflow permissions and adds no scripts, secrets, or broader permissions.

Review details

Best possible solution:

Merge the clean Dependabot patch if maintainers are comfortable taking TruffleHog v3.95.7; otherwise let Dependabot recreate or advance the GitHub Actions bump.

Do we have a high-confidence way to reproduce the issue?

Not applicable. This is a dependency update PR, and the review checked the workflow diff, current main, and PR check rollup rather than reproducing a product bug.

Is this the best way to solve the issue?

Yes. A one-line version bump in the existing secret-scan workflow is the narrowest maintainable path for this patch update.

AGENTS.md: not found in the target repository.

Codex review notes: model internal, reasoning high; reviewed against b5c480e0492b.

Label changes

Label justifications:

  • P3: This is a low-risk Dependabot patch update to a GitHub Actions security-scan dependency.
  • rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🌊 off-meta tidepool and patch quality is 🦞 diamond lobster.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Not applicable because this is a Dependabot bot dependency bump; the PR check rollup already shows the updated workflow path completed successfully.
Evidence reviewed

What I checked:

Likely related people:

  • Peter Steinberger: Git blame and file history show this author introduced the secret-scan workflow, Dependabot config, and CODEOWNERS routing in the v0.3.1 preparation commit. (role: introduced behavior; confidence: high; commits: 2cc577b8ebf4; files: .github/workflows/secret-scan.yml, .github/dependabot.yml, .github/CODEOWNERS)
  • Vincent Koc: Recent history shows this author hardened the secret-scan workflow after the initial release commit. (role: recent area contributor; confidence: high; commits: 4156d9f6390d; files: .github/workflows/secret-scan.yml)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.
Review history (2 earlier review cycles)
  • reviewed 2026-07-01T07:14:29.959Z sha 3dbb0ee :: needs maintainer review before merge. :: none
  • reviewed 2026-07-05T10:30:30.257Z sha 3dbb0ee :: needs maintainer review before merge. :: none

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. rating: 🦞 diamond lobster Very strong PR readiness with only minor maintainer review expected. and removed rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. labels Jul 1, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #37.

@dependabot dependabot Bot closed this Jul 8, 2026
@dependabot dependabot Bot deleted the dependabot/github_actions/trufflesecurity/trufflehog-3.95.7 branch July 8, 2026 06:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

build dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. rating: 🦞 diamond lobster Very strong PR readiness with only minor maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant