ci: add trufflehog secrets scan#53
Conversation
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 0/1 reviews remaining, refill in 13 minutes and 42 seconds.Comment |
codeant-ai
Bot
added
the
size:S
|
CodeAnt AI finished reviewing your PR. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
Bugbot Autofix is ON, but it could not run because on-demand usage is turned off. To enable Bugbot Autofix, turn on on-demand usage and set a spend limit in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 6c43f6d. Configure here.
| - uses: trufflehog/actions/setup@main | ||
| - run: trufflehog github --only-verified --no-update | ||
| env: | ||
| GH_TOKEN: \${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Escaped dollar sign breaks GitHub token secret injection
High Severity
The GH_TOKEN env var uses \${{ secrets.GITHUB_TOKEN }} with a backslash before the dollar sign. Every other workflow in this repo (e.g., cargo-audit.yml, release.yml) uses ${{ ... }} without a backslash. GitHub Actions will still evaluate the expression, but the resulting value will have a literal \ prepended to the token, producing an invalid authentication token. This will cause the trufflehog scan to fail on any private content.
Reviewed by Cursor Bugbot for commit 6c43f6d. Configure here.
| with: | ||
| fetch-depth: 0 | ||
| - uses: trufflehog/actions/setup@main | ||
| - run: trufflehog github --only-verified --no-update |
There was a problem hiding this comment.
Missing required --repo flag for trufflehog github command
High Severity
The trufflehog github subcommand requires either --repo or --org to specify the scan target. Without one, the command has nothing to scan and will exit with an error. A typical invocation would be something like trufflehog github --repo=https://github.com/owner/repo --only-verified --no-update.
Reviewed by Cursor Bugbot for commit 6c43f6d. Configure here.
| - uses: trufflehog/actions/setup@main | ||
| - run: trufflehog github --only-verified --no-update | ||
| env: | ||
| GH_TOKEN: \${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Wrong environment variable name for TruffleHog authentication
Medium Severity
The environment variable is named GH_TOKEN, but TruffleHog reads GITHUB_TOKEN (confirmed by its source code using os.Getenv("GITHUB_TOKEN")). GH_TOKEN is a GitHub CLI (gh) convention, not recognized by TruffleHog. Even with the \$ escaping issue fixed, the scan would run unauthenticated, likely failing on private repos or hitting API rate limits.
Reviewed by Cursor Bugbot for commit 6c43f6d. Configure here.
User description
Adds trufflehog secrets scanning workflow.
Note
Low Risk
Adds a new GitHub Actions workflow; low risk because it only introduces CI scanning and does not affect runtime code paths, though it may fail builds if secrets are detected.
Overview
Adds a new GitHub Actions workflow
trufflehog.ymlto run TruffleHog secrets scanning on pushes tomainand on all pull requests.The job checks out full git history (
fetch-depth: 0), sets up TruffleHog, and runstrufflehog github --only-verified --no-updateusingGITHUB_TOKENfor access.Reviewed by Cursor Bugbot for commit 6c43f6d. Bugbot is set up for automated code reviews on this repo. Configure here.
CodeAnt-AI Description
Add TruffleHog secrets scanning to pull requests and main pushes
What Changed
mainImpact
✅ Fewer secret leaks in pull requests✅ Earlier detection of exposed credentials✅ Safer changes before merging to main🔄 Retrigger CodeAnt AI Review
Details
💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.