chore: bootstrap trufflehog.yml governance config

[KooshaPari]

User description

Summary

• Bootstrap .github/trufflehog.yml with default ruleset

Test plan

• PR merged

🤖 Generated with Claude Code

Note

Low Risk
Adds a new TruffleHog configuration file under .github/, affecting only secret-scanning rules and not application runtime behavior.

Overview
Bootstraps TruffleHog governance by adding .github/trufflehog.yml with the trufflehog-default ruleset, enabling standardized secret-scanning configuration for the repo.

^{Reviewed by Cursor Bugbot for commit 483223a. Bugbot is set up for automated code reviews on this repo. Configure here.}

---

CodeAnt-AI Description

Add default secret-scanning rules for the repository

What Changed

• Adds a TruffleHog config file under .github/ with the default secret-scanning ruleset
• Gives the repository a standard setup for checking committed secrets

Impact

✅ Standardized secret-scanning checks
✅ Lower risk of committing exposed secrets
✅ Consistent security review setup

🔄 Retrigger CodeAnt AI Review

Details

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

Warning

Rate limit exceeded

@KooshaPari has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 15 minutes and 55 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 52c83d4f-3e52-47d2-9ed0-c9f9a2d10308

📥 Commits

Reviewing files that changed from the base of the PR and between f1eb1db and 483223a.

📒 Files selected for processing (1)

• .github/trufflehog.yml

Warning

.coderabbit.yaml has a parsing error

The CodeRabbit configuration file in this repository has a parsing error and default settings were used instead. Please fix the error(s) in the configuration file. You can initialize chat with CodeRabbit to get help with the configuration file.

💥 Parsing errors (1)

unknown escape sequence in ".coderabbit.yaml" (41:11)

 38 |       - "async_await_patterns"
 39 |     patterns_to_watch:
 40 |       - "^unsafe "
 41 |       - "\.unwrap\(\)"
----------------^
 42 |       - "\.expect\("
 43 |       - "std::panic"

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/governance-bootstrap-2026-05-02

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch chore/governance-bootstrap-2026-05-02

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 15 minutes and 55 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🔒 Snyk Security Scan Results

Snyk vulnerability scan completed. View results in GitHub Code Scanning dashboard.

[github-actions]

🔒 Snyk Security Scan Results

Snyk vulnerability scan completed. View results in GitHub Code Scanning dashboard.

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Sequence Diagram

This PR adds a repository-level TruffleHog configuration that standardizes secret-scanning by enabling the default ruleset for all checks.

sequenceDiagram
    participant Developer
    participant GitHost
    participant CI
    participant TruffleHog

    Developer->>GitHost: Open pull request
    GitHost->>CI: Trigger governance checks
    CI->>TruffleHog: Run scan with trufflehog yml rules
    TruffleHog-->>CI: Secret scan results
    CI-->>Developer: Report secret scanning status

Loading

---

Generated by CodeAnt AI

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Sequence Diagram

This PR adds a TruffleHog configuration file that applies the default ruleset to all scans, standardizing secret-scanning behavior for the repository in CI.

sequenceDiagram
    participant Developer
    participant GitPlatform
    participant CI
    participant TruffleHog

    Developer->>GitPlatform: Open or update pull request
    GitPlatform->>CI: Trigger pipeline
    CI->>TruffleHog: Run secret scan on repository
    TruffleHog->>TruffleHog: Load trufflehog configuration with default ruleset
    TruffleHog-->>CI: Return scan results
    CI-->>Developer: Report secret scan status and findings

Loading

---

Generated by CodeAnt AI

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Sequence Diagram

This PR adds a TruffleHog configuration file that enables the default ruleset for secret scanning, standardizing how potential secrets are detected during repository checks.

sequenceDiagram
    participant Developer
    participant Repo
    participant CI
    participant TruffleHog

    Developer->>Repo: Push commits
    CI->>TruffleHog: Run secret scan with default ruleset
    TruffleHog-->>CI: Return scan findings
    CI-->>Developer: Report potential secrets

Loading

---

Generated by CodeAnt AI

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn