ci: add trufflehog secrets scan#42
Conversation
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 0/1 reviews remaining, refill in 58 minutes and 26 seconds.Comment |
|
codeant-ai
Bot
added
the
size:S
![codeant-ai[bot]](https://avatars.githubusercontent.com/in/646884?s=60&v=4){kind=small}
| env: | ||
| GH_TOKEN: \${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
The workflow sets GH_TOKEN to the literal text '${{ secrets.GITHUB_TOKEN }}' (because of the leading backslash), so the GitHub Actions expression is never evaluated and TruffleHog does not receive the intended token, breaking authenticated scanning.
Suggestion: Remove the backslash so GH_TOKEN is set to the evaluated expression ${{ secrets.GITHUB_TOKEN }}, ensuring TruffleHog runs with a valid GitHub token.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/trufflehog.yml
**Line:** 16:17
**Comment:**
*CRITICAL: The workflow sets GH_TOKEN to the literal text '${{ secrets.GITHUB_TOKEN }}' (because of the leading backslash), so the GitHub Actions expression is never evaluated and TruffleHog does not receive the intended token, breaking authenticated scanning.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished reviewing your PR. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 4 potential issues.
Bugbot Autofix is ON, but it could not run because on-demand usage is turned off. To enable Bugbot Autofix, turn on on-demand usage and set a spend limit in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit af86f57. Configure here.
| - uses: trufflehog/actions/setup@main | ||
| - run: trufflehog github --only-verified --no-update | ||
| env: | ||
| GH_TOKEN: \${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Escaped dollar sign prevents secret token evaluation
High Severity
The \${{ secrets.GITHUB_TOKEN }} expression has a backslash before the $, which prevents GitHub Actions from evaluating the expression. The GH_TOKEN environment variable will contain the literal string instead of the actual token value. Other workflows in this repository (e.g., scorecard.yml, codeql.yml) correctly use ${{ ... }} without a backslash. Without a valid token, the trufflehog github command cannot authenticate to the GitHub API and the scan will fail.
Reviewed by Cursor Bugbot for commit af86f57. Configure here.
| with: | ||
| fetch-depth: 0 | ||
| - uses: trufflehog/actions/setup@main | ||
| - run: trufflehog github --only-verified --no-update |
There was a problem hiding this comment.
Missing required --repo or --org argument
High Severity
The trufflehog github --only-verified --no-update command doesn't specify a --repo or --org flag. The trufflehog github subcommand scans via the GitHub API and requires one of these flags to know which repository or organization to scan. Without a target, the command will fail. A typical invocation would include something like --repo=${{ github.server_url }}/${{ github.repository }}.
Reviewed by Cursor Bugbot for commit af86f57. Configure here.
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | ||
| with: | ||
| fetch-depth: 0 | ||
| - uses: trufflehog/actions/setup@main |
There was a problem hiding this comment.
Unpinned action reference creates supply chain risk
Medium Severity
The trufflehog/actions/setup@main action is pinned to a mutable branch reference instead of a specific commit SHA. This is inconsistent with actions/checkout on line 11, which is correctly pinned to a commit hash. Pinning to @main means a compromise of the upstream repository could inject malicious code into this workflow without any change to this file.
Reviewed by Cursor Bugbot for commit af86f57. Configure here.
| - uses: trufflehog/actions/setup@main | ||
| - run: trufflehog github --only-verified --no-update | ||
| env: | ||
| GH_TOKEN: \${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Wrong environment variable name for trufflehog authentication
High Severity
The environment variable is named GH_TOKEN, but trufflehog's --token flag reads from the GITHUB_TOKEN environment variable (configured via .Envar("GITHUB_TOKEN") in its CLI setup). Even after fixing the \$ escaping issue, trufflehog still won't pick up the token because it's looking for GITHUB_TOKEN, not GH_TOKEN. This is a separate issue from the backslash escaping bug — the env var name itself needs to be GITHUB_TOKEN.
Reviewed by Cursor Bugbot for commit af86f57. Configure here.
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:S
Sequence DiagramThis PR adds a GitHub Actions workflow that runs Trufflehog on every pull request and on pushes to main, scanning the full git history for verified secrets and reporting the results as a status check. sequenceDiagram
participant Developer
participant GitHub
participant CI Workflow
participant Trufflehog
Developer->>GitHub: Push commit or open pull request
GitHub->>CI Workflow: Trigger Trufflehog secrets scan
CI Workflow->>GitHub: Checkout repository with full history
CI Workflow->>Trufflehog: Run secrets scan with verified findings only
Trufflehog-->>CI Workflow: Return scan results
CI Workflow-->>GitHub: Update check status with scan outcome
Generated by CodeAnt AI |
| - uses: trufflehog/actions/setup@main | ||
| - run: trufflehog github --only-verified --no-update | ||
| env: | ||
| GH_TOKEN: \${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
The workflow sets GH_TOKEN to the literal string \${{ secrets.GITHUB_TOKEN }} instead of a GitHub Actions expression, so TruffleHog runs without a valid GitHub token and may fail authentication or be heavily rate-limited in normal CI runs.
Suggestion: Change the env assignment to use the unescaped expression (GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}) so TruffleHog receives the actual GitHub token on all runs.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/trufflehog.yml
**Line:** 17:17
**Comment:**
*HIGH: The workflow sets `GH_TOKEN` to the literal string `\${{ secrets.GITHUB_TOKEN }}` instead of a GitHub Actions expression, so TruffleHog runs without a valid GitHub token and may fail authentication or be heavily rate-limited in normal CI runs.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:S
Sequence DiagramThis PR adds a GitHub Actions workflow that runs a Trufflehog secrets scan on every push to the main branch and on all pull requests, using the full git history and reporting verified findings back through CI status. sequenceDiagram
participant Developer
participant GitHub Actions
participant Repository
participant Trufflehog Action
participant GitHub API
Developer->>GitHub Actions: Push to main or open pull request
GitHub Actions->>Repository: Checkout full git history
GitHub Actions->>Trufflehog Action: Setup trufflehog
Trufflehog Action->>GitHub API: Run secrets scan with repo token
GitHub API-->>Trufflehog Action: Return verified findings
Trufflehog Action-->>GitHub Actions: Report scan result
GitHub Actions-->>Developer: CI status with secrets scan outcome
Generated by CodeAnt AI |
| - run: trufflehog github --only-verified --no-update | ||
| env: | ||
| GH_TOKEN: \${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
In the TruffleHog workflow, GH_TOKEN is set to "${{ secrets.GITHUB_TOKEN }}", so GitHub Actions treats it as a literal string and does not inject the actual GITHUB_TOKEN secret, leaving the TruffleHog CLI unauthenticated.
Suggestion: Set GH_TOKEN using an unescaped GitHub Actions expression (e.g., GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}) and verify the workflow so TruffleHog runs with a real token and can access the repository as intended.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/trufflehog.yml
**Line:** 15:17
**Comment:**
*HIGH: In the TruffleHog workflow, GH_TOKEN is set to "\${{ secrets.GITHUB_TOKEN }}", so GitHub Actions treats it as a literal string and does not inject the actual GITHUB_TOKEN secret, leaving the TruffleHog CLI unauthenticated.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:S
Sequence DiagramThis PR adds a GitHub Actions workflow that runs Trufflehog on pushes to main and pull requests to detect verified secrets across the repository history. sequenceDiagram
participant Developer
participant GitHubActions
participant TrufflehogCLI
participant GitHubAPI
Developer->>GitHubActions: Push to main or open pull request
GitHubActions->>GitHubActions: Start Trufflehog secrets scan workflow
GitHubActions->>GitHubActions: Checkout full repository history
GitHubActions->>TrufflehogCLI: Run trufflehog github only verified
TrufflehogCLI->>GitHubAPI: Scan repository history with GitHub token
GitHubAPI-->>TrufflehogCLI: Verified secret findings
TrufflehogCLI-->>GitHubActions: Report scan results
Generated by CodeAnt AI |
| env: | ||
| GH_TOKEN: \${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
The trufflehog workflow escapes the GitHub token expression (\${{ secrets.GITHUB_TOKEN }}), so GH_TOKEN is set to that literal string instead of the actual token and the GitHub scan runs without proper authentication.
Suggestion: Remove the backslash so GitHub Actions interpolates the expression (GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}) and then verify the workflow runs successfully with an authenticated trufflehog scan.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/trufflehog.yml
**Line:** 16:17
**Comment:**
*CRITICAL: The trufflehog workflow escapes the GitHub token expression (`\${{ secrets.GITHUB_TOKEN }}`), so `GH_TOKEN` is set to that literal string instead of the actual token and the GitHub scan runs without proper authentication.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:S
Sequence DiagramThis PR adds a GitHub Actions workflow that runs a Trufflehog secrets scan on every pull request and on pushes to the main branch, using full git history and only reporting verified findings. sequenceDiagram
participant Developer
participant GitHub
participant CI
participant Trufflehog
Developer->>GitHub: Push to main or open pull request
GitHub->>CI: Trigger trufflehog workflow
CI->>GitHub: Checkout full git history
CI->>Trufflehog: Setup trufflehog action
CI->>Trufflehog: Run secrets scan with GH token
Trufflehog-->>CI: Return verified secret findings
CI-->>GitHub: Update commit or pull request status
Generated by CodeAnt AI |
| env: | ||
| GH_TOKEN: \${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
The workflow sets GH_TOKEN to the literal string '${{ secrets.GITHUB_TOKEN }}' (escaped with a backslash), so GitHub never evaluates the expression and the TruffleHog scan runs without an injected token.
Suggestion: Remove the escape so the value is '${{ secrets.GITHUB_TOKEN }}' and let GitHub Actions evaluate it at runtime, ensuring GH_TOKEN is populated and authenticated scans run correctly on PRs and main pushes.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/trufflehog.yml
**Line:** 16:17
**Comment:**
*CRITICAL: The workflow sets GH_TOKEN to the literal string '${{ secrets.GITHUB_TOKEN }}' (escaped with a backslash), so GitHub never evaluates the expression and the TruffleHog scan runs without an injected token.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
1 participant
User description
Adds trufflehog secrets scanning workflow. Closes eyetracker PR #41 cleanly.
Note
Low Risk
Low risk: adds a new CI workflow only; no runtime code or data-handling logic changes.
Overview
Introduces a new GitHub Actions workflow,
.github/workflows/trufflehog.yml, that runs TruffleHog secrets scanning on every pull request and on pushes tomain.The job checks out the full git history (
fetch-depth: 0) and runstrufflehog github --only-verified --no-updateusingGITHUB_TOKEN.Reviewed by Cursor Bugbot for commit af86f57. Bugbot is set up for automated code reviews on this repo. Configure here.
CodeAnt-AI Description
Add automated secret scanning to pull requests and main branch pushes
What Changed
Impact
✅ Earlier secret leak detection✅ Fewer risky changes merged by mistake✅ Cleaner security reviews🔄 Retrigger CodeAnt AI Review
Details
💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.