Add Secret scanning workflow

[JanuszL]

• adds NVIDIA/security-workflows/.github/workflows/secret-scan-trufflehog.yml workflow

Category:

Other (e.g. Documentation, Tests, Configuration)

Description:

• adds NVIDIA/security-workflows/.github/workflows/secret-scan-trufflehog.yml workflow

Additional information:

Affected modules and functionalities:

• workflows

Key points relevant for the review:

• NA

Tests:

• Existing tests apply
• New tests added
  • Python tests
  • GTests
  • Benchmark
  • Other
• N/A

Checklist

Documentation

• Existing documentation applies
• Documentation updated
  • Docstring
  • Doxygen
  • RST
  • Jupyter
  • Other
• N/A

DALI team only

Requirements

• Implements new requirements
• Affects existing requirements
• N/A

REQ IDs: N/A

JIRA TASK: N/A

[greptile-apps]

Greptile Summary

This PR introduces a GitHub Actions workflow that runs TruffleHog secret scanning on pull requests targeting main, delegating to the NVIDIA/security-workflows composite action pinned at a full commit SHA.

• The fetch-depth: 0 input is passed to the composite action but is not listed among the documented optional overrides (runs-on, extra-args, fail-on-findings); if the action does not declare it, it will be silently ignored and the scan may only have access to a shallow clone.
• Only pull_request is wired up as a trigger — direct pushes to main and periodic full-history scans (which catch newly-added TruffleHog detectors against historical commits) are not covered, unlike the parallel codeql.yml which uses both push and schedule.

Confidence Score: 3/5

Safe to merge as a no-op for existing code, but the scanning workflow itself may not work as intended due to the fetch-depth concern and missing triggers.

The workflow is the only changed file. The action is correctly pinned to a full SHA. However, fetch-depth: 0 is passed as an input to the composite action but is not listed among its documented overrides — if the action does not declare this input it will be silently ignored and TruffleHog will run against a shallow clone, reducing the scan's effectiveness. Additionally, no push or schedule triggers are configured, leaving direct commits to main and periodic rescans of historical commits uncovered.

.github/workflows/security.yml — confirm whether fetch-depth is a declared input of the secret-scan-trufflehog composite action, and consider adding push and schedule triggers.

Important Files Changed

Filename	Overview
.github/workflows/security.yml	New TruffleHog secret-scan workflow; action is properly pinned to a full commit SHA, but fetch-depth may be silently ignored by the composite action, and only pull_request triggers are configured (missing push and schedule).

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[PR opened/updated targeting main] --> B{pull_request trigger}
    B --> C[Job: security runs-on: ubuntu-latest]
    C --> D[uses: NVIDIA/security-workflows secret-scan-trufflehog @ pinned SHA]
    D --> E{fetch-depth: 0 recognized input?}
    E -->|Yes| F[Full history checkout TruffleHog scans all commits]
    E -->|No - silently ignored| G[Shallow checkout TruffleHog scans PR diff only]
    F --> H{Secrets found?}
    G --> H
    H -->|Yes| I[Job fails]
    H -->|No| J[Job passes]

Loading

_{Reviews (1): Last reviewed commit: "Add Secret scaning workflow" | Re-trigger Greptile}

[greptile-apps]

[Question] fetch-depth likely not a recognized input of the composite action

The fetch-depth: 0 is passed in the with: block to the composite action NVIDIA/security-workflows/.github/actions/secret-scan-trufflehog. The commented-out "optional overrides" below list runs-on, extra-args, and fail-on-findings — fetch-depth is absent. If the action's action.yml does not declare fetch-depth as an input, GitHub Actions will silently ignore it (a warning is logged but execution continues). The action will then perform its own checkout with the default depth (typically 1), meaning TruffleHog won't have access to the full commit history, potentially missing secrets buried in older commits.

[greptile-apps]

[Suggestion] Add push trigger to catch direct commits to main

The workflow only fires on pull_request. If a secret is committed directly to main (e.g., a fast-forward merge, a direct push by a maintainer), it will never be scanned. The existing codeql.yml uses both push and pull_request for the same reason.

Suggested change

	on:
	pull_request:
	branches: [ "main" ]
	on:
	push:
	branches: [ "main" ]
	pull_request:
	branches: [ "main" ]

[greptile-apps]

[Suggestion] Consider adding a schedule trigger for periodic full-repo scans

TruffleHog's detector set is continuously updated; secrets that weren't recognized when a commit was made can become detectable later. A scheduled scan catches these retroactively. The existing codeql.yml already uses a weekly schedule trigger for exactly this reason.

Suggested change

	on:
	pull_request:
	branches: [ "main" ]
	on:
	push:
	branches: [ "main" ]
	pull_request:
	branches: [ "main" ]
	schedule:
	- cron: "17 3 * * 1" # Weekly on Monday

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!