Security Scanning¶
Secret scanning¶
Baseline¶
Copy templates/workflows/secret-scan.yml to .github/workflows/secret-scan.yml in your repo.
The workflow uses TruffleHog to scan pull request diffs for leaked secrets, credentials, and sensitive data.
Configuration¶
The template is configured conservatively to reduce false positives:
--results=verified— only flag results TruffleHog can verify (e.g., by checking if a credential is active against a known service).
TruffleHog v3.95.3 provides --no-update and --fail internally. Do not pass those flags again via extra_args or CI will fail with duplicate-flag errors.
The scan runs on every pull request. It does not scan the full git history (only the PR diff range).
Recommended workflow¶
- Add the workflow to the repo.
- Configure branch protection to require the Secret Scan check once it passes consistently.
- If a false positive is detected, add an allowlist entry. TruffleHog supports path-based exclusions via
--exclude-paths. - Review findings promptly. A verified secret in a PR should block merging.
What this does NOT cover¶
- This workflow scans PR diffs only. For historical scans of the full repository, run TruffleHog locally or as a standalone action.
- This does not scan for secrets in issue comments, PR descriptions, or other GitHub metadata.
- This is not a substitute for developer training on secret management.