feat(trufflehog): centralize path exclusions and support .trufflehogignore#137
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
isaiah-grafana
force-pushed
the
feature/trufflehog-global-excludes
branch
from
585248a to
bfdeb21
Compare
isaiah-grafana
changed the title
isaiah-grafana
force-pushed
the
feature/trufflehog-global-excludes
branch
2 times, most recently
from
bb77eae to
52c2c14
Compare
isaiah-grafana
force-pushed
the
feature/trufflehog-global-excludes
branch
2 times, most recently
from
68280bd to
abf5eaa
Compare
isaiah-grafana
changed the title
isaiah-grafana
force-pushed
the
feature/trufflehog-global-excludes
branch
2 times, most recently
from
17bed03 to
11a03b8
Compare
isaiah-grafana
requested review from
aliceatgrafana and
dannyc-grafana
and removed request for
jamesc-grafana
isaiah-grafana
force-pushed
the
feature/trufflehog-global-excludes
branch
from
11a03b8 to
f6da1c6
Compare
isaiah-grafana
changed the title
…gnore
Add a centralized `trufflehog/exclude-paths.txt` for org-wide default
exclusions (vendor/, lock files, manifests, grafana.json, dashboards)
and support repo-local `.trufflehogignore` files for per-repo overrides.
Changes:
- Add trufflehog/exclude-paths.txt fetched at runtime from this repo
(GitHub API → raw fallback → workflow ref fallback)
- Append repo-local .trufflehogignore to exclude patterns if present
- Simplify PR/merge-group scan loop with grep pre-filter
- Move ${{ }} expressions from run blocks into env blocks
- Fix jq CHANGELOG filter to use try/catch syntax
- Clean up org-required-trufflehog.yml comments
isaiah-grafana
force-pushed
the
feature/trufflehog-global-excludes
branch
2 times, most recently
from
d2d989c to
afe3717
Compare
ezebunandu
left a comment
ezebunandu
left a comment
There was a problem hiding this comment.
It looks like the workflow will accept a trufflehog exclusion from the PR head, allowing a contributor to exclude files that should otherwise be scanned.
Would accepting the trufflehog exclusion from only the main branch not be a better approach?
Good point. I thought about this too. The .trufflehogignore is read from the checked-out tree, so technically a contributor could add it in the same PR to skip scanning on certain paths. But in practice, the change to .trufflehogignore would show up in the PR diff, so reviewers would see it. It's also the same trust model as the inline trufflehog:ignore comment, which already works from the PR head. We could read it from the default branch instead, but that adds friction for the legitimate use cases. Teams would have to merge the ignore file first before it takes effect. Since this is mostly catching accidental commits from internal contributors, I think reading from the working tree is a reasonable here |
3 participants
Adds configurable path exclusions to the TruffleHog scan so we stop flagging hashes in lock files, vendor code, and other known false-positive paths.
How it works
How to use
Other fixes
Moved ${{ }} expressions out of run: blocks into env: blocks (code injection fix)
Simplified scan loop with a grep pre-filter instead of per-file case statements
Fixed jq CHANGELOG filter with try/catch
Testing
Tested on cloud-traces-operators #194 — confirmed exclusions load correctly and files are skipped as expected.