Although GitHub's native secret detection is in place, there are various ways secrets can end up in files and commits. Plus, an extra layer of protection never hurts! 👍
To ensure the capture of leaked credentials, an assessment should occur at the pull request level, with PRs blocked if TruffleHog returns any results. Moreover, pull requests should only be mergeable if TruffleHog returns empty.
### Tasks
- [ ] On all pull requests, run secret detection against the source branch
- [ ] Use [TruffleHog OSS](https://github.com/marketplace/actions/trufflehog-oss)
- [ ] Enable TruffleHog OSS as a required status check for PR merge
- [ ] On a code push via Git Proxy, run secret detection against generated diff
Although GitHub's native secret detection is in place, there are various ways secrets can end up in files and commits. Plus, an extra layer of protection never hurts! 👍
To ensure the capture of leaked credentials, an assessment should occur at the pull request level, with PRs blocked if TruffleHog returns any results. Moreover, pull requests should only be mergeable if TruffleHog returns empty.