ci: add trufflehog secrets scan#141
Conversation
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
Warning
|
🔒 Snyk Security Scan ResultsSnyk vulnerability scan completed. View results in GitHub Code Scanning dashboard. |
1 similar comment
🔒 Snyk Security Scan ResultsSnyk vulnerability scan completed. View results in GitHub Code Scanning dashboard. |
codeant-ai
Bot
added
the
size:S
|
|
CodeAnt AI finished reviewing your PR. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
Bugbot Autofix is ON, but it could not run because on-demand usage is turned off. To enable Bugbot Autofix, turn on on-demand usage and set a spend limit in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit bddc5bf. Configure here.
| with: | ||
| fetch-depth: 0 | ||
| - uses: trufflehog/actions/setup@main | ||
| - run: trufflehog github --only-verified --no-update |
There was a problem hiding this comment.
Missing required --repo or --org flag
High Severity
The trufflehog github subcommand requires either a --repo or --org flag to specify what to scan. Running trufflehog github --only-verified --no-update without either flag will fail because the tool doesn't know which repository or organization to scan. A --repo flag pointing to the current repository (e.g., via ${{ github.repository }}) is needed for this workflow to function.
Reviewed by Cursor Bugbot for commit bddc5bf. Configure here.
| - uses: trufflehog/actions/setup@main | ||
| - run: trufflehog github --only-verified --no-update | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Wrong environment variable name for TruffleHog token
Medium Severity
TruffleHog reads the GitHub token from the GITHUB_TOKEN environment variable, but this workflow exposes it as GH_TOKEN instead. The GH_TOKEN convention is used by the GitHub CLI (gh), not TruffleHog. This means TruffleHog won't authenticate and will be unable to scan private repository content or may hit API rate limits.
Reviewed by Cursor Bugbot for commit bddc5bf. Configure here.
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | ||
| with: | ||
| fetch-depth: 0 | ||
| - uses: trufflehog/actions/setup@main |
There was a problem hiding this comment.
Security action pinned to mutable @main branch reference
Medium Severity
The trufflehog/actions/setup action is pinned to @main, a mutable branch reference, while the actions/checkout step is correctly pinned to a commit SHA. This inconsistency creates a supply chain attack vector — if the upstream action is compromised, the workflow (which receives secrets.GITHUB_TOKEN) could be exploited. A security-scanning workflow is an especially high-value target for this type of attack.
Reviewed by Cursor Bugbot for commit bddc5bf. Configure here.
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:S
Sequence DiagramThis PR adds a GitHub Actions workflow that runs a Trufflehog secrets scan on every pull request and on pushes to the main branch, failing the check if verified secrets are detected. sequenceDiagram
participant Developer
participant GitHub
participant CI
participant Trufflehog
Developer->>GitHub: Push to main or open pull request
GitHub->>CI: Trigger Trufflehog workflow
CI->>GitHub: Checkout repository with full history
CI->>Trufflehog: Setup and run GitHub scan with token
Trufflehog-->>CI: Return verified secrets findings
CI-->>GitHub: Mark secrets scan check as pass or fail
Generated by CodeAnt AI |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:S
Sequence DiagramThis PR adds a GitHub Actions workflow that runs a Trufflehog secret scan on every pull request and on pushes to the main branch, failing the check when verified secrets are detected. sequenceDiagram
participant Developer
participant GitHubActions
participant TrufflehogScanner
Developer->>GitHubActions: Push to main or open pull request
GitHubActions->>GitHubActions: Start Trufflehog secrets scan job
GitHubActions->>TrufflehogScanner: Run github scan with only verified findings
TrufflehogScanner-->>GitHubActions: Return scan results
alt Verified secrets found
GitHubActions-->>Developer: Secret scan check fails
else No verified secrets
GitHubActions-->>Developer: Secret scan check passes
end
Generated by CodeAnt AI |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:S
Sequence DiagramThis PR adds a GitHub Actions workflow that runs Trufflehog secret scanning on pushes to main and on all pull requests, failing the check when verified secrets are detected. sequenceDiagram
participant Developer
participant GitHub
participant CI Workflow
participant Trufflehog
Developer->>GitHub: Push to main or open pull request
GitHub->>CI Workflow: Trigger Trufflehog secrets scan job
CI Workflow->>GitHub: Checkout full repository history
CI Workflow->>Trufflehog: Setup Trufflehog action
CI Workflow->>GitHub: Run secrets scan with repository token
Trufflehog-->>CI Workflow: Return verified secrets findings
CI Workflow-->>GitHub: Mark check as pass or fail
Generated by CodeAnt AI |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:S
Sequence DiagramThis PR adds a GitHub Actions workflow that runs a Trufflehog secret scan on every push to main and on all pull requests, failing the check when verified secrets are found. sequenceDiagram
participant Developer
participant GitHub
participant TrufflehogJob
Developer->>GitHub: Push to main or open pull request
GitHub->>TrufflehogJob: Trigger Trufflehog workflow
TrufflehogJob->>GitHub: Checkout full repository history
TrufflehogJob->>TrufflehogJob: Setup Trufflehog tool
TrufflehogJob->>GitHub: Run Trufflehog github scan with token
GitHub-->>TrufflehogJob: Secret scan results
alt Verified secrets found
TrufflehogJob-->>GitHub: Mark check as failed
else No verified secrets
TrufflehogJob-->>GitHub: Mark check as passed
end
Generated by CodeAnt AI |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
1 participant
User description
Adds trufflehog secrets scanning workflow.
Note
Medium Risk
Adds a new PR/push GitHub Actions job that runs third-party
trufflehogtooling; main risk is CI supply-chain/availability impact (notablytrufflehog/actions/setup@mainis unpinned) and potential new noise/failures in PR checks.Overview
Adds a new GitHub Actions workflow (
.github/workflows/trufflehog.yml) that runs TruffleHog secret scanning on pushes tomainand on all pull requests.The job checks out full git history (
fetch-depth: 0), installs TruffleHog viatrufflehog/actions/setup@main, and runstrufflehog github --only-verified --no-updateusingGITHUB_TOKEN.Reviewed by Cursor Bugbot for commit bddc5bf. Bugbot is set up for automated code reviews on this repo. Configure here.
CodeAnt-AI Description
Add secret scanning to pull requests and main branch pushes
What Changed
mainImpact
✅ Earlier secret leak detection✅ Fewer exposed credentials in pull requests✅ Safer main branch changes🔄 Retrigger CodeAnt AI Review
Details
💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.