Skip to content

Scan for leaked credentials in PRs and code diff using TruffleHog OSS 🐷  #414

Description

@JamieSlome

Although GitHub's native secret detection is in place, there are various ways secrets can end up in files and commits. Plus, an extra layer of protection never hurts! 👍

To ensure the capture of leaked credentials, an assessment should occur at the pull request level, with PRs blocked if TruffleHog returns any results. Moreover, pull requests should only be mergeable if TruffleHog returns empty.

### Tasks
- [ ] On all pull requests, run secret detection against the source branch
- [ ] Use [TruffleHog OSS](https://github.com/marketplace/actions/trufflehog-oss)
- [ ] Enable TruffleHog OSS as a required status check for PR merge
- [ ] On a code push via Git Proxy, run secret detection against generated diff

Metadata

Metadata

Assignees

No one assigned

    Labels

    good first issueGood for newcomerssecuritySecurity improvements or tooling

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions