Skip to content

Add Secret scanning workflow #6390

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
JanuszL wants to merge 1 commit into
base: main
Choose a base branch
from
+22 −0
Draft

Add Secret scanning workflow #6390

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions .github/workflows/security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: Secret Scan

on:
pull_request:
branches: [ "main" ]
Comment on lines +3 to +5

@greptile-apps greptile-apps Bot Jun 8, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 [Suggestion] Add push trigger to catch direct commits to main

The workflow only fires on pull_request. If a secret is committed directly to main (e.g., a fast-forward merge, a direct push by a maintainer), it will never be scanned. The existing codeql.yml uses both push and pull_request for the same reason.

Suggested change
on:
pull_request:
branches: [ "main" ]
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]

Fix in Claude Code

Comment on lines +3 to +5

@greptile-apps greptile-apps Bot Jun 8, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 [Suggestion] Consider adding a schedule trigger for periodic full-repo scans

TruffleHog's detector set is continuously updated; secrets that weren't recognized when a commit was made can become detectable later. A scheduled scan catches these retroactively. The existing codeql.yml already uses a weekly schedule trigger for exactly this reason.

Suggested change
on:
pull_request:
branches: [ "main" ]
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: "17 3 * * 1" # Weekly on Monday

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

Fix in Claude Code


permissions:
contents: read

jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: NVIDIA/security-workflows/.github/actions/secret-scan-trufflehog@d7945f4856b8f3f285c75abbc2af3054d5b28e1e
with:
fetch-depth: 0
Comment on lines +15 to +16

@greptile-apps greptile-apps Bot Jun 8, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 [Question] fetch-depth likely not a recognized input of the composite action

The fetch-depth: 0 is passed in the with: block to the composite action NVIDIA/security-workflows/.github/actions/secret-scan-trufflehog. The commented-out "optional overrides" below list runs-on, extra-args, and fail-on-findingsfetch-depth is absent. If the action's action.yml does not declare fetch-depth as an input, GitHub Actions will silently ignore it (a warning is logged but execution continues). The action will then perform its own checkout with the default depth (typically 1), meaning TruffleHog won't have access to the full commit history, potentially missing secrets buried in older commits.

Fix in Claude Code


# Optional overrides — see the workflow file for the full interface:
# with:
# runs-on: linux-amd64-cpu4 # nv-gha-runners label
# extra-args: "--results=verified,unknown"
# fail-on-findings: false # warn-only during initial rollout
Loading