PDP-684: updated workflow for updating the comment #17
Conversation
Introduces a centralized GitHub Actions workflow for scanning pull requests for secrets using TruffleHog. Includes a detailed README with setup instructions, exclusion pattern configuration, override options, and troubleshooting guidance.
The workflow now posts PR comments with secret scan findings, sets commit status to pass/fail, and provides clearer merge blocking. Documentation was updated and renamed to trufflehog_readme.md to reflect new features, including secret classification and improved fork PR support.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Adds a workflow step to update the PR comment when previously detected secrets are resolved, marking the PR as clear. Updates documentation to clarify that exclusion patterns are additive, describes the new comment update behavior, and improves the remediation and PR comment sections for clarity.
Enhances the TruffleHog GitHub Actions workflow to better distinguish between scan errors and actual secret findings, adding a verification step for failed scans. Updates documentation to clarify exclusion pattern behavior, workflow triggers, and runtime logic for more accurate and secure secret scanning.
There was a problem hiding this comment.
Pull request overview
This PR introduces TruffleHog secret scanning automation for pull requests to detect and prevent exposure of sensitive credentials like API keys, passwords, and tokens.
Changes:
- Adds comprehensive documentation for TruffleHog secret scanning workflow setup and usage
- Implements GitHub Actions workflow for automated secret scanning on PRs
- Creates alternate workflow file (brijesh variant) with updated comment handling logic
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| trufflehog_readme.md | Comprehensive documentation covering workflow features, setup instructions, exclusion patterns, and remediation guidance |
| .github/workflows/trufflehog-scan.yml | Primary workflow implementing TruffleHog scanning with verification-based blocking and PR comment updates |
| .github/workflows/trufflehog-scan-brijesh.yml | Alternate workflow variant with simplified comment update logic (always updates when no secrets found) |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // Check if existing comment was a critical/blocking one (had verified secrets) | ||
| const wasBlocking = existing.body.includes('CRITICAL') || existing.body.includes(':rotating_light:'); | ||
| if (wasBlocking) { |
There was a problem hiding this comment.
The logic checking for blocking status relies on string matching against comment content which is fragile. If comment templates change, this detection will break. Consider adding a structured marker in the comment (e.g., <!-- STATUS:CRITICAL -->) to reliably identify comment type.
| if (!hasSecrets) { | ||
| // No secrets found | ||
| if (existing) { | ||
| // Update existing comment to show secrets are now resolved |
There was a problem hiding this comment.
The 'brijesh' workflow variant unconditionally updates any existing comment when no secrets are found, even if it was only a warning. This differs from the main workflow which preserves warning comments. The behavioral difference between these two workflow files should be documented in the PR description or the files should be consolidated with a configuration flag.
…lved. (#18) * PDP-684: updated the workflow for updating the pullrequest comment * PDP-684: Updated to update the comment
PDP-684 : Update trufflehog-scan.yml
PDP-684 : Update trufflehog-scan.yml
PDP-684 : Update trufflehog-scan.yml
PDP-684 : Update trufflehog-scan.yml
PDP-684: updated workflow for updating the comment