Add automated secret detection with TruffleHog #296
Description
Is your enhancement related to a problem? Please describe.
We need to prevent secrets and API keys from being committed to our codebase. While we're careful, credentials can slip through during development. Adding a TruffleHog GitHub Action to our CI/CD pipeline will help prevent this. The workflow will scan commits for exposed secrets, block merges when secrets are detected, and run automatically on pull requests. This automated check will catch leaked credentials before they reach production, prevent security vulnerabilities, and maintain our code quality standards.
Here is what I am using in an existing project.
name: Secret Scanning
on:
pull_request:
jobs:
trufflehog:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Trufflehog exclusions
run: |
if [ ! -f .trufflehog-exclude.txt ]; then
echo "# Paths to exclude from TruffleHog scanning" > .trufflehog-exclude.txt
echo "node_modules/" >> .trufflehog-exclude.txt
echo "vendor/" >> .trufflehog-exclude.txt
echo "dist/" >> .trufflehog-exclude.txt
echo "build/" >> .trufflehog-exclude.txt
fi
- name: Run Trufflehog on latest commits
id: trufflehog
uses: trufflesecurity/trufflehog@main
continue-on-error: true
with:
path: ./
extra_args: --results=verified,unknown --exclude-paths .trufflehog-exclude.txt
- name: Trufflehog Scan Failure
if: steps.trufflehog.outcome == 'failure'
run: exit 1Designs
No response
Describe alternatives you've considered
No response
Code of Conduct
- I agree to follow this project's Code of Conduct
Metadata
Metadata
Assignees
Labels
No labels