Skip to content

chore(deps): bump trufflesecurity/trufflehog from 3.95.6 to 3.95.8#80

Merged
steipete merged 1 commit into
mainfrom
dependabot/github_actions/trufflesecurity/trufflehog-3.95.8
Jul 6, 2026
Merged

chore(deps): bump trufflesecurity/trufflehog from 3.95.6 to 3.95.8#80
steipete merged 1 commit into
mainfrom
dependabot/github_actions/trufflesecurity/trufflehog-3.95.8

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 5, 2026

Copy link
Copy Markdown
Contributor

Bumps trufflesecurity/trufflehog from 3.95.6 to 3.95.8.

Release notes

Sourced from trufflesecurity/trufflehog's releases.

v3.95.8

What's Changed

Full Changelog: trufflesecurity/trufflehog@v3.95.7...v3.95.8

v3.95.7

What's Changed

New Contributors

Full Changelog: trufflesecurity/trufflehog@v3.95.6...v3.95.7

Commits
  • 00155c9 Include encoded resume info instead of clobbering it (#5110)
  • 4d3a66f fixed syntax error (#5109)
  • 797f02b [INS-334] Octopus Deploy detector (#4787)
  • 7f04a89 [INS-465] Skip unverified JWT Detector results when feature flag is enabled (...
  • 459d5a7 Add prometheus metrics for engine channels and workers (#5095)
  • f38f8f7 fix(azuresastoken): match SAS tokens regardless of parameter order (#5043)
  • 6261f5c removed "unauthorized" as exception for rotated graphana secrets (#5068)
  • f446421 [INS-407] Fixed AWS detector producing non deterministic output (#4836)
  • 885fa2d [INS-197] Add redhatpyxis api key detector (#4995)
  • c09d726 [INS-497] Add Pganalyze Read Key Detector (#4993)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 5, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 5, 2026 20:12
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 5, 2026
@clawsweeper

clawsweeper Bot commented Jul 5, 2026

Copy link
Copy Markdown

Codex review: needs maintainer review before merge. Reviewed July 5, 2026, 4:15 PM ET / 20:15 UTC.

Summary
The PR updates .github/workflows/secret-scan.yml to use trufflesecurity/trufflehog@v3.95.8 instead of v3.95.6.

Reproducibility: not applicable. this is a dependency-update PR rather than a bug report. The source check confirms current main still uses the older action tag and the PR changes that exact line.

Review metrics: 2 noteworthy metrics.

  • Workflow action bump: 1 workflow file changed, 1 insertion, 1 deletion. The only runtime surface changed is the secret-scanning GitHub Action reference.
  • PR checks: 11 passed, 1 skipped. The updated action version ran in the PR check set without a reported CI or secret-scan failure.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • none.

Next step before merge

  • No repair work is needed; the remaining action is normal maintainer review and merge gating.

Security
Cleared: No concrete security or supply-chain regression was found; the PR only advances an existing third-party action tag and the workflow retains read-only contents permission.

Review details

Best possible solution:

Merge the dependency update after the repository's required review gates remain green.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a dependency-update PR rather than a bug report. The source check confirms current main still uses the older action tag and the PR changes that exact line.

Is this the best way to solve the issue?

Yes; for this dependency-maintenance item, the narrow one-line action tag update is the maintainable solution. The workflow permissions remain constrained and CI reports the updated path passing.

AGENTS.md: not found in the target repository.

Codex review notes: model internal, reasoning high; reviewed against d26b140c7a94.

Label changes

Label changes:

  • add P3: This is a low-risk maintenance dependency update to a CI workflow action with limited user-facing impact.
  • add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: The contributor proof gate is not applicable because this is a Dependabot bot dependency PR, and the updated workflow path is covered by PR checks.

Label justifications:

  • P3: This is a low-risk maintenance dependency update to a CI workflow action with limited user-facing impact.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: The contributor proof gate is not applicable because this is a Dependabot bot dependency PR, and the updated workflow path is covered by PR checks.
Evidence reviewed

What I checked:

  • Current main still uses old action tag: Current main at d26b140 uses trufflesecurity/trufflehog@v3.95.6 in the secret-scan workflow, so the proposed update is not already implemented. (.github/workflows/secret-scan.yml:58, d26b140c7a94)
  • PR diff is a one-line action version bump: The patch changes only the TruffleHog action reference from v3.95.6 to v3.95.8 in .github/workflows/secret-scan.yml. (.github/workflows/secret-scan.yml:58, c05863b35257)
  • Upstream tag exists: GitHub reports refs/tags/v3.95.8 in trufflesecurity/trufflehog pointing at commit 00155c9dc586f34d189adc83d3ac2698c2ec551f, and the v3.95.8 release was published on 2026-07-02.
  • Workflow runs with restricted permissions: The secret-scan workflow sets top-level permissions: {} and grants the TruffleHog job only contents: read, limiting the privilege of the third-party action path being updated. (.github/workflows/secret-scan.yml:9, d26b140c7a94)
  • CI/check status: gh pr checks reports the PR checks passing, including CI deps/lint/test/release-check, CodeQL, Docker, and both secret-scan runs; the release-draft update is skipped as expected. (c05863b35257)
  • Workflow history: The secret-scan workflow was introduced by Vincent Koc in fbdb786, later action-version maintenance included Peter Steinberger's e0192a9, and the current v3.95.6 line is present in the v0.7.5 release commit db94aea. (.github/workflows/secret-scan.yml:58, fbdb78629c31)

Likely related people:

  • vincentkoc: GitHub shows Vincent Koc assigned to the PR, and git history shows Vincent introduced the verified secret-scanning workflow and later hardened related release/workflow automation. (role: recent area contributor and assigned reviewer; confidence: high; commits: fbdb78629c31, 905ac75f8337; files: .github/workflows/secret-scan.yml, .github/workflows/release.yml, .github/workflows/homebrew-tap.yml)
  • Peter Steinberger: Git history shows Peter recently updated the TruffleHog workflow action and prepared the release that currently contains the v3.95.6 action reference. (role: recent workflow dependency updater; confidence: medium; commits: e0192a9b3218, db94aea149cf; files: .github/workflows/secret-scan.yml, CHANGELOG.md)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. labels Jul 5, 2026
@steipete

steipete commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

@dependabot rebase

Bumps [trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog) from 3.95.6 to 3.95.8.
- [Release notes](https://github.com/trufflesecurity/trufflehog/releases)
- [Commits](trufflesecurity/trufflehog@v3.95.6...v3.95.8)

---
updated-dependencies:
- dependency-name: trufflesecurity/trufflehog
  dependency-version: 3.95.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@steipete steipete force-pushed the dependabot/github_actions/trufflesecurity/trufflehog-3.95.8 branch from c05863b to b68368f Compare July 6, 2026 07:50
@dependabot @github

dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry!

If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

@steipete steipete merged commit 12ec1c9 into main Jul 6, 2026
13 checks passed
@steipete steipete deleted the dependabot/github_actions/trufflesecurity/trufflehog-3.95.8 branch July 6, 2026 07:53
@steipete

steipete commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Maintainer verification after merge:

  • Local proof on exact rebased PR head b68368f824e4e8eb5101f85cf0529b3f2d69ad26: workflow lint when available, GOWORK=off go vet ./..., GOWORK=off go test ./..., GOWORK=off go test -race ./..., and make test all passed.
  • Upstream proof: v3.95.8 resolves to signed, verified TruffleHog commit 00155c9dc586f34d189adc83d3ac2698c2ec551f; the workflow remains limited to contents: read.
  • Live proof: exact-head push run and pull-request run both completed successfully, including the TruffleHog OSS step. All other required checks passed; only the expected release-draft update was skipped.
  • Review: the structured autoreview helper failed closed because secret-scan.yml is classified as a sensitive path, so no truncated review was accepted. Manual deep review found no actionable issue in the one-line version bump.
  • Landed as 12ec1c9ad374134fbeb3589af3d6aff8aff4cccc.

No remaining caveats.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

chore dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code other P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants