build(deps): bump trufflesecurity/trufflehog from 3.95.6 to 3.95.8#37
build(deps): bump trufflesecurity/trufflehog from 3.95.6 to 3.95.8#37dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog) from 3.95.6 to 3.95.8. - [Release notes](https://github.com/trufflesecurity/trufflehog/releases) - [Commits](trufflesecurity/trufflehog@v3.95.6...v3.95.8) --- updated-dependencies: - dependency-name: trufflesecurity/trufflehog dependency-version: 3.95.8 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
|
Codex review: needs maintainer review before merge. Reviewed July 8, 2026, 2:47 AM ET / 06:47 UTC. Summary Reproducibility: not applicable. This is a dependency update PR, and the review checked the workflow diff, current main, upstream tag, and PR check rollup rather than reproducing a product bug. Review metrics: 2 noteworthy metrics.
Root-cause cluster Members:
Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything. Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Risk before merge
Maintainer options:
Next step before merge
Security Review detailsBest possible solution: Merge the clean Dependabot patch if maintainers are comfortable taking TruffleHog v3.95.8; otherwise let Dependabot recreate or advance the GitHub Actions bump. Do we have a high-confidence way to reproduce the issue? Not applicable. This is a dependency update PR, and the review checked the workflow diff, current main, upstream tag, and PR check rollup rather than reproducing a product bug. Is this the best way to solve the issue? Yes. A one-line version bump in the existing secret-scan workflow is the narrowest maintainable path for this patch update. AGENTS.md: not found in the target repository. Codex review notes: model internal, reasoning high; reviewed against b5c480e0492b. Label changesLabel changes:
Label justifications:
Evidence reviewedWhat I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
|
Bumps trufflesecurity/trufflehog from 3.95.6 to 3.95.8.
Release notes
Sourced from trufflesecurity/trufflehog's releases.
Commits
00155c9Include encoded resume info instead of clobbering it (#5110)4d3a66ffixed syntax error (#5109)797f02b[INS-334] Octopus Deploy detector (#4787)7f04a89[INS-465] Skip unverified JWT Detector results when feature flag is enabled (...459d5a7Add prometheus metrics for engine channels and workers (#5095)f38f8f7fix(azuresastoken): match SAS tokens regardless of parameter order (#5043)6261f5cremoved "unauthorized" as exception for rotated graphana secrets (#5068)f446421[INS-407] Fixed AWS detector producing non deterministic output (#4836)885fa2d[INS-197] Add redhatpyxis api key detector (#4995)c09d726[INS-497] Add Pganalyze Read Key Detector (#4993)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)