chore: add trufflehog scan #1238
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
- Replace actions/github-script with int128/comment-action pattern - Use standard GitHub template in hide-comment-action ends-with - Generate comment body in shell script to avoid template injection - Use steps.hide-comments.outputs.ends-with for automatic identifier - Matches exact pattern used in reusable-zizmor.yml workflow This should properly dismiss previous TruffleHog comments before posting new ones.
Clean up any trailing spaces to pass pre-commit hooks.
- Use proper heredoc syntax (body<<EOF) instead of inline multiline strings - Fixes 'Invalid format' error when generating comment body with special characters - Each line properly separated to avoid output parsing issues Resolves: Error: Invalid format '**Summary:** Found X potential secrets'
Clean up trailing spaces to ensure pre-commit hooks pass.
- Add repository ownership check: github.event.pull_request.head.repo.full_name == github.repository - Add !cancelled() condition to prevent skipping on cancellation - Apply to all comment-related steps: hide-comments, comment-body, comment-on-pr - This ensures proper permissions for pull-requests: write from same repo Without this condition, the hide-comment-action doesn't work properly for external PRs.
- Replace int128/hide-comment-action with custom GitHub Script approach - Search for ALL comments containing 'TruffleHog Scan Results' regardless of format - Hide previous comments by wrapping in <details> minimized sections - Handles legacy comments created with different patterns/identifiers - More robust than pattern-matching with ends-with approach This will hide ALL previous TruffleHog comments, not just recent ones with matching patterns.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
- Move github.workflow and github.job to environment variables - Use process.env.WORKFLOW_NAME and process.env.JOB_NAME in JavaScript - Prevents code injection via template expansion in core.setOutput calls - Maintains same functionality while being security compliant Resolves high-severity template-injection findings in comment hiding logic.
- Remove custom GitHub Script comment hiding approach - Use int128/hide-comment-action exactly like zizmor workflow - Use GitHub's native comment hiding API instead of manual body updates - Pattern: ends-with '<!-- comment-action/workflow/job -->' - This properly hides comments instead of just updating their content Future TruffleHog comments will be properly hidden by the hide-comment-action.
Add clarification that detectors handle both Grafana secrets and service account tokens.
- Change from fixed {48} to flexible {40,50} character range
- Actual Grafana token has 43 characters after 'glsa_' prefix
- This should now properly detect: glsa_Nyei7zjtKRWiW7j2lCsgG9ZFAicaBzFW_4ba8b21c
- Updated both standalone and prefixed token patterns
Expected: TruffleHog should now detect all 3 secrets (2 GitHub + 1 Grafana).
TruffleHog v3.75.0 has built-in support for: - Grafana: For Grafana API keys - GrafanaServiceAccount: For service account tokens (glsa_) Removed custom detector configuration that was likely interfering with built-in detection. Now using TruffleHog's native Grafana detection capabilities. Expected: Should now detect glsa_ tokens with built-in GrafanaServiceAccount detector.
Since built-in GrafanaServiceAccount detector isn't working, add a simple custom detector: - Uses flexible pattern: glsa_[A-Za-z0-9_]+ - Should detect any glsa_ token format - Added --config parameter back to all TruffleHog commands This should reliably detect Grafana service account tokens.
…count detector TruffleHog v3.75.0 should have native support for: - GitHub PATs (GitHub detector) - Grafana Service Account tokens (GrafanaServiceAccount detector) Testing with no custom configuration to verify built-in detection works properly.
isaiah-grafana
force-pushed
the
pr/trufflehog-scan
branch
2 times, most recently
from
52934ce to
ea90fa7
Compare
- Optimize scan results filtering to reduce false positives - Add smart filtering flags: --results=verified,unverified --filter-unverified --filter-entropy=3.0 - Limit git history depth with --max-depth=10 for faster scans - Use built-in detectors only for better maintainability - Improve comment formatting and PR integration - Add proper error handling and result processing - Enhance GitHub status check reporting This reduces scan noise significantly while maintaining security coverage.
isaiah-grafana
force-pushed
the
pr/trufflehog-scan
branch
from
ea90fa7 to
19963de
Compare
Remove severity prefix from scan results title for cleaner appearance.
Change default scan-type from 'both' to 'filesystem' to prevent duplicate scans. This should reduce from 4 separate checks to 1 single check.
Create downloadable trufflehog_scan artifact containing: - Comprehensive scan report with metadata - Summary of findings (verified/unverified counts) - Detailed results with file locations and redacted secrets - 30-day retention for audit purposes
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Move GitHub context variables to environment variables to prevent code injection: - github.repository → REPOSITORY env var - github.ref_name → BRANCH env var - github.sha → COMMIT env var - steps.scan.outputs.* → *_SECRETS env vars This prevents potential template expansion attacks.
Remove unused SEVERITY variable that was left over from when we simplified the output format to just show 'TruffleHog Scan Results' without severity prefix.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is testing out a workflow for trufflehog