ci: add Trufflehog OSS secrets scan to PRs

[crookedstorm]

This adds a secrets scan to PRs for early detection.

Summary by CodeRabbit

• Chores
  • Added an automated Security workflow to CI that scans commits and PRs for exposed secrets on pushes, pull requests, merge-group checks, and manual runs. It reduces redundant runs via concurrency controls, restricts scan permissions, skips or logs merge-group events, and surfaces detected issues—failing the run for standard events while allowing non-blocking behavior for merge-group scenarios.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a GitHub Actions workflow that runs a pinned TruffleHog OSS secret scan on push, pull_request, merge_group, and manual dispatch. The job skips merge-group runs, checks out code for applicable events, runs TruffleHog (continue-on-error), and exits non-zero when TruffleHog fails on non-merge_group events.

Changes

Security Scanning Workflow

Layer / File(s)	Summary
TruffleHog secrets scanning job ./.github/workflows/security.yaml	New workflow with event triggers (push/pull_request scoped to main, merge_group, workflow_dispatch), read-only contents/pull-requests permissions, concurrency settings, and a secrets-scan job that logs merge-group skips, conditionally checks out code, runs pinned TruffleHog OSS with continue-on-error, and fails the run when TruffleHog reports failure on non-merge_group events.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title accurately describes the main change: adding a Trufflehog OSS secrets scanning workflow to PRs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch in-repo-scan/crookedstorm

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/security.yaml:
- Around line 29-32: Replace the actions/checkout@v6 tag with a pinned commit
SHA for actions/checkout and add persist-credentials: false under the existing
with: block (near the fetch-depth: 0 entry) so the checkout step uses a specific
commit and does not persist GITHUB_TOKEN in git config; update the reference
where actions/checkout@v6 appears and ensure the new with: entries include
persist-credentials: false and fetch-depth: 0.
- Line 41: The CI workflow currently passes the `--debug` flag to the TruffleHog
scanner via the `extra_args` setting for the `trufflesecurity/trufflehog`
action; remove the `--debug` token (or remove the `extra_args` key entirely) so
the action no longer runs with debug verbosity and won't leak scan context into
CI logs — update the `extra_args` entry that contains `--debug` accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: aecb6635-acef-466e-8402-132e918c2123

📥 Commits

Reviewing files that changed from the base of the PR and between f76d08c and 8bbec94.

📒 Files selected for processing (1)

• .github/workflows/security.yaml

[crookedstorm]

Reviewers can use https://github.com/trufflesecurity/trufflehog/blob/main/action.yml for reference

[github-actions]

Suite	Lines Covered	Line Rate	Branch Rate
Unit Tests	18248/24195	75.4%	61.9%
Integration Tests	11668/22977	50.8%	25.9%

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/security.yaml (1)

1-46: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Write permissions required for .github/ folder.

As per coding guidelines, files in dot-folders require Write permissions upfront.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/security.yaml around lines 1 - 46, The workflow's
permissions block currently sets contents: read which prevents actions needing
to modify files in the .github directory; update the permissions block to grant
write access by changing contents: read to contents: write (keep pull-requests:
read as-is) so the workflow has the required write permissions for the .github
folder; update the permissions stanza (the permissions mapping in this file)
accordingly.

♻️ Duplicate comments (2)

.github/workflows/security.yaml (2)

29-32: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin checkout action to commit SHA and disable credential persistence.

• Pin actions/checkout@v6 to a commit SHA
• Add persist-credentials: false

🔒 Proposed fix

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v6.0.0
         if: ${{ github.event_name != 'merge_group' }}
         with:
           fetch-depth: 0
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/security.yaml around lines 29 - 32, Replace the floating
actions/checkout@v6 usage with a pinned commit SHA and disable credential
persistence: update the workflow step that currently uses "actions/checkout@v6"
(the checkout step) to reference the specific commit SHA for that action and add
the input "persist-credentials: false" under its with: block so the checkout
does not leave runner credentials available to subsequent steps.

---

41-41: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove --debug flag.

Debug mode increases log verbosity and may leak scan context.

🔧 Proposed fix

-          extra_args: --debug

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/security.yaml at line 41, The workflow step currently
passes the debug flag via the extra_args setting ("extra_args: --debug"); remove
the `--debug` token from extra_args so scans run without debug verbosity (e.g.,
change or sanitize the extra_args value used in that job/step to omit
`--debug`), and ensure no other workflow steps or variables inject `--debug`
elsewhere.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/security.yaml:
- Around line 1-46: The workflow's permissions block currently sets contents:
read which prevents actions needing to modify files in the .github directory;
update the permissions block to grant write access by changing contents: read to
contents: write (keep pull-requests: read as-is) so the workflow has the
required write permissions for the .github folder; update the permissions stanza
(the permissions mapping in this file) accordingly.

---

Duplicate comments:
In @.github/workflows/security.yaml:
- Around line 29-32: Replace the floating actions/checkout@v6 usage with a
pinned commit SHA and disable credential persistence: update the workflow step
that currently uses "actions/checkout@v6" (the checkout step) to reference the
specific commit SHA for that action and add the input "persist-credentials:
false" under its with: block so the checkout does not leave runner credentials
available to subsequent steps.
- Line 41: The workflow step currently passes the debug flag via the extra_args
setting ("extra_args: --debug"); remove the `--debug` token from extra_args so
scans run without debug verbosity (e.g., change or sanitize the extra_args value
used in that job/step to omit `--debug`), and ensure no other workflow steps or
variables inject `--debug` elsewhere.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b9864955-bdde-4b32-a910-6a6579a0d6e9

📥 Commits

Reviewing files that changed from the base of the PR and between 8bbec94 and ad8f738.

📒 Files selected for processing (1)

• .github/workflows/security.yaml

[svvarom]

LGTM

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/security.yaml (1)

29-32: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin checkout by SHA and disable credential persistence.

Still unresolved: actions/checkout is tag-pinned (@v6) and does not set persist-credentials: false.

Proposed fix

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@<full_commit_sha>
         if: ${{ github.event_name != 'merge_group' }}
         with:
           fetch-depth: 0
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/security.yaml around lines 29 - 32, Replace the tag-pinned
actions/checkout@v6 with a specific commit SHA (pin by full SHA) and add the
with key persist-credentials: false alongside fetch-depth: 0 so the checkout
step disables credential persistence; update the checkout step that currently
references actions/checkout@v6 and the existing with: fetch-depth: 0 to include
persist-credentials: false and use the full SHA instead of `@v6`.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/security.yaml:
- Around line 29-32: Replace the tag-pinned actions/checkout@v6 with a specific
commit SHA (pin by full SHA) and add the with key persist-credentials: false
alongside fetch-depth: 0 so the checkout step disables credential persistence;
update the checkout step that currently references actions/checkout@v6 and the
existing with: fetch-depth: 0 to include persist-credentials: false and use the
full SHA instead of `@v6`.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2c242e99-2cee-49eb-8215-f4380785a2f9

📥 Commits

Reviewing files that changed from the base of the PR and between 72f4c9d and a0e00e5.

📒 Files selected for processing (1)

• .github/workflows/security.yaml