Skip to content

PDP-684 Add TruffleHog secret scanning workflow for PR validation #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
GAdityaVarma wants to merge 62 commits into
base: main
Choose a base branch
from
Open

PDP-684 Add TruffleHog secret scanning workflow for PR validation #16

GAdityaVarma wants to merge 62 commits into from

Conversation

@GAdityaVarma
Copy link
Collaborator

@GAdityaVarma GAdityaVarma commented Jan 7, 2026
edited
Loading

Summary

Introduces a centralized TruffleHog secret scanning workflow that automatically scans all pull requests for exposed secrets (API keys, passwords, tokens, etc.) across the organization.

This implementation:

  • Scans PR commits for leaked secrets (API keys, passwords, tokens, etc.)
  • Classifies findings as verified (confirmed active) or unverified (potential match)
  • Posts PR comments with detailed findings when secrets are detected
  • Sets commit status to pass/fail based on scan results

Features

  • Scans only modified files in PRs (fast and efficient)
  • Works with PRs from forks (public and private)
  • Configurable exclusion patterns using regex
  • Supports org-level defaults with repo-level overrides
  • No workflow file needed in individual repos (uses org rulesets)

How It Works

  1. PR is created or updated
  2. Workflow determines PR type (fork vs same-repo)
  3. Fetches PR commits and applies exclusion patterns
  4. Runs TruffleHog scan on the diff between base and head
  5. If secrets found: posts PR comment and fails the check
  6. If no secrets: sets status to success (no comment posted)

Configuration

  • Set TRUFFLEHOG_EXCLUDES variable at org or repo level for custom exclusions
  • Default exclusions include: node_modules, vendor, lock files, minified files

Tested here:
https://github.com/marklogic/copyrighttest/pull/79
https://github.com/marklogic/copyrighttest/pull/78
https://github.com/marklogic/copyrighttest/pull/77

@GAdityaVarma
Add TruffleHog secret scanning workflow and docs
43162b1 
Introduces a centralized GitHub Actions workflow for scanning pull requests for secrets using TruffleHog. Includes a detailed README with setup instructions, exclusion pattern configuration, override options, and troubleshooting guidance.
@GAdityaVarma
Update README.md
200cee2
@GAdityaVarma
Update trufflehog-scan.yml
bf7b85b
@GAdityaVarma
Update trufflehog-scan.yml
527f3f2
@GAdityaVarma
Update trufflehog-scan.yml
599658f
@GAdityaVarma
Enhance TruffleHog workflow with PR comments and commit status
f42179b 
The workflow now posts PR comments with secret scan findings, sets commit status to pass/fail, and provides clearer merge blocking. Documentation was updated and renamed to trufflehog_readme.md to reflect new features, including secret classification and improved fork PR support.
Copilot AI reviewed Jan 7, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a centralized TruffleHog secret scanning workflow that automatically validates pull requests across the organization by detecting exposed secrets such as API keys, passwords, and tokens. The workflow runs on all PRs, posts detailed findings as comments when secrets are detected, and sets commit statuses to block merges when necessary.

Key Changes:

  • Implements GitHub Actions workflow with dual triggers (pull_request and pull_request_target) to handle both same-repo and fork PRs
  • Configurable exclusion patterns via TRUFFLEHOG_EXCLUDES variable with org-level defaults and repo-level overrides
  • Automated PR commenting with remediation steps and commit status updates based on scan results

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
trufflehog_readme.md Comprehensive documentation covering setup, configuration, exclusion patterns, workflow triggers, and troubleshooting
.github/workflows/trufflehog-scan.yml GitHub Actions workflow implementing secret scanning with TruffleHog, exclusion handling, result processing, and PR status updates

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@GAdityaVarma GAdityaVarma requested review from Pragathi-28 and brijeshp56 and removed request for Copilot January 7, 2026 13:33
@GAdityaVarma
Update trufflehog_readme.md
e496bac 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
SameeraPriyathamTadikonda
SameeraPriyathamTadikonda requested changes Jan 7, 2026
View reviewed changes
@GAdityaVarma
Update trufflehog-scan.yml
d279b66
@GAdityaVarma
Update trufflehog-scan.yml
1aae01b
@GAdityaVarma
Update trufflehog-scan.yml
77909eb
@GAdityaVarma
Update trufflehog-scan.yml
c120b09
@GAdityaVarma
Update TruffleHog workflow to handle resolved secrets
174b7d0 
Adds a workflow step to update the PR comment when previously detected secrets are resolved, marking the PR as clear. Updates documentation to clarify that exclusion patterns are additive, describes the new comment update behavior, and improves the remediation and PR comment sections for clarity.
@GAdityaVarma
Update trufflehog-scan.yml
7ded023
@GAdityaVarma
Update trufflehog-scan.yml
40260d7
@GAdityaVarma
Update trufflehog-scan.yml
5907188
@GAdityaVarma
Update trufflehog-scan.yml
c38506c
@GAdityaVarma
Remove workflow_dispatch trigger for ruleset compatibility
6f0f819
@GAdityaVarma GAdityaVarma reopened this Jan 9, 2026
brijeshp56 and others added 30 commits January 12, 2026 17:57
@brijeshp56
PDP-684: Update the existing pull request comment if secrets are reso…
0666566 
…lved. (#18)

* PDP-684: updated the workflow for updating the pullrequest comment

* PDP-684: Updated to update the comment
@brijeshp56
PDP-684: Updated workflow to make sure to scan renamed files
06a1ac7
@brijeshp56
Merge branch 'agottumu_dev' into brijesh-dev
518c5d2
@brijeshp56
Merge pull request #19 from marklogic/brijesh-dev
41f9c2d 
PDP-684 : updated workflow for handling renamed files
@brijeshp56
PDP-684 : Update trufflehog-scan.yml
e7e2b95 
PDP-684 : Update trufflehog-scan.yml
@brijeshp56
Merge pull request #20 from marklogic/brijesh-dev
38832a6 
PDP-684 : Update trufflehog-scan.yml
@brijeshp56
PDP-684 : Update trufflehog-scan.yml
09da209 
PDP-684 : Update trufflehog-scan.yml
@brijeshp56
Merge pull request #21 from marklogic/brijesh-dev
df754f4 
PDP-684 : Update trufflehog-scan.yml
@brijeshp56
PDP-684 : Update trufflehog-scan.yml
08e940a 
PDP-684 : Update trufflehog-scan.yml
@brijeshp56
Merge pull request #22 from marklogic/brijesh-dev
7ba41eb 
PDP-684 : Update trufflehog-scan.yml
@brijeshp56
PDP-684 : Update trufflehog-scan.yml
d385450 
PDP-684 : Update trufflehog-scan.yml
@brijeshp56
Merge pull request #23 from marklogic/brijesh-dev
b9540ef 
PDP-684 : Update trufflehog-scan.yml
@brijeshp56
PDP-684 : Update trufflehog-scan.yml for detecting the renamed files
34848a0 
PDP-684 : Update trufflehog-scan.yml for detecting the renamed files
@brijeshp56
Merge branch 'agottumu_dev' into brijesh-dev-backup
d64d46d
@brijeshp56
Merge pull request #25 from marklogic/brijesh-dev-backup
6cb4ee6 
PDP-684 : Update trufflehog-scan.yml for detecting the renamed files
@brijeshp56
PDP-684 : Update trufflehog-scan.yml
a0015e2 
PDP-684 : Update trufflehog-scan.yml
@brijeshp56
Merge pull request #26 from marklogic/brijesh-dev-backup
20049b3 
PDP-684 : Update trufflehog-scan.yml
@brijeshp56
PDP-684 : Update trufflehog-scan.yml
f4e15b5 
PDP-684 : Update trufflehog-scan.yml
@brijeshp56
Merge pull request #27 from marklogic/brijesh-dev-backup
709c401 
PDP-684 : Update trufflehog-scan.yml
@brijeshp56
PDP-684 : Update trufflehog-scan.yml
9494c79 
PDP-684 : Update trufflehog-scan.yml
@brijeshp56
Merge pull request #28 from marklogic/brijesh-dev-backup
7cc1131 
PDP-684 : Update trufflehog-scan.yml
@brijeshp56
PDP-684: updated workflow to checkout only head commit
0a33191
@brijeshp56
Merge branch 'agottumu_dev' into brijesh-dev
e6fa7a0
@brijeshp56
Merge pull request #29 from marklogic/brijesh-dev
74e685b 
PDP-684: updated workflow to checkout only head commit
@brijeshp56
PDP-684: updated workflow to checkout only head commit1
d653ce8
@brijeshp56
Merge branch 'brijesh-dev' of https://github.com/marklogic/pr-workflows
2029065 
… into brijesh-dev
@brijeshp56
Merge pull request #30 from marklogic/brijesh-dev
46305c1 
PDP-684 : Updated the workflow to fetch right commit
@brijeshp56
PDP-684 : Reverting my changes for trufflehog
a7b8ecd
@brijeshp56
Merge pull request #31 from marklogic/brijesh-dev
4f60581 
PDP-684 : Reverting my changes for trufflehog
@GAdityaVarma
Update trufflehog-scan.yml
f21206b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@SameeraPriyathamTadikonda SameeraPriyathamTadikonda SameeraPriyathamTadikonda requested changes

@brijeshp56 brijeshp56 Awaiting requested review from brijeshp56

@Pragathi-28 Pragathi-28 Awaiting requested review from Pragathi-28

@nagalakshmi2024 nagalakshmi2024 Awaiting requested review from nagalakshmi2024

@rpullepu rpullepu Awaiting requested review from rpullepu

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@GAdityaVarma @SameeraPriyathamTadikonda @brijeshp56