From 321c8019cdac2b8802a8a23bd983ece58c0d341d Mon Sep 17 00:00:00 2001 From: Isaiah Grigsby Date: Tue, 7 Oct 2025 16:28:17 -0500 Subject: [PATCH 1/7] Use local workflow reference for org ruleset - Changed to ./.github/workflows/reusable-trufflehog.yml - Will use the same branch as the org ruleset reference - Prepares for merging fixes into main branch --- .github/workflows/org-required-trufflehog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/org-required-trufflehog.yml b/.github/workflows/org-required-trufflehog.yml index 3b297f6..b633f88 100644 --- a/.github/workflows/org-required-trufflehog.yml +++ b/.github/workflows/org-required-trufflehog.yml @@ -18,7 +18,7 @@ permissions: jobs: secret-scan: name: TruffleHog Secret Scan - uses: grafana/security-github-actions/.github/workflows/reusable-trufflehog.yml@fix/update-runner-to-x64-large + uses: grafana/security-github-actions/.github/workflows/reusable-trufflehog.yml with: # Monitoring mode - no blocking, just reporting fail-on-verified: "false" # Don't block on verified secrets (monitoring only) From e2b4a22512710199927e9068a89a9b5b39f4b5a7 Mon Sep 17 00:00:00 2001 From: Isaiah Grigsby Date: Tue, 10 Feb 2026 10:35:42 -0600 Subject: [PATCH 2/7] Upload results.json as artifact alongside text report --- .github/workflows/reusable-trufflehog.yml | 41 ++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/.github/workflows/reusable-trufflehog.yml b/.github/workflows/reusable-trufflehog.yml index 56186c2..d90e030 100644 --- a/.github/workflows/reusable-trufflehog.yml +++ b/.github/workflows/reusable-trufflehog.yml @@ -197,9 +197,48 @@ jobs: if: always() with: name: trufflehog_scan - path: trufflehog_scan.txt + path: | + trufflehog_scan.txt + results.json retention-days: 30 + - name: Setup Python for Grafana integration + if: ${{ !cancelled() && (secrets.LOKI_URL != '' || secrets.PROMETHEUS_PUSHGATEWAY_URL != '') }} + uses: actions/setup-python@0b6a380b5a7827e48e69b2e0e596c5c8c2b0e0b0 # v5.1.0 + with: + python-version: '3.x' + + - name: Install Python dependencies + if: ${{ !cancelled() && (secrets.LOKI_URL != '' || secrets.PROMETHEUS_PUSHGATEWAY_URL != '') }} + run: | + pip install requests + + - name: Send findings to Loki + if: ${{ !cancelled() && secrets.LOKI_URL != '' }} + continue-on-error: true + env: + LOKI_URL: ${{ secrets.LOKI_URL }} + LOKI_USERNAME: ${{ secrets.LOKI_USERNAME }} + LOKI_PASSWORD: ${{ secrets.LOKI_PASSWORD }} + REPOSITORY: ${{ github.repository }} + COMMIT_SHA: ${{ github.sha }} + BRANCH: ${{ github.ref_name }} + TRUFFLEHOG_RESULTS_FILE: results.json + run: | + python trufflehog/send-to-loki.py + + - name: Send metrics to Prometheus + if: ${{ !cancelled() && secrets.PROMETHEUS_PUSHGATEWAY_URL != '' }} + continue-on-error: true + env: + PROMETHEUS_PUSHGATEWAY_URL: ${{ secrets.PROMETHEUS_PUSHGATEWAY_URL }} + REPOSITORY: ${{ github.repository }} + COMMIT_SHA: ${{ github.sha }} + BRANCH: ${{ github.ref_name }} + TRUFFLEHOG_RESULTS_FILE: results.json + run: | + python trufflehog/send-to-prometheus.py + - name: Check failure policy env: FAIL_ON_VERIFIED: ${{ inputs.fail-on-verified }} From cb86b576a4b8ff5ad912e8476048778176cb04ad Mon Sep 17 00:00:00 2001 From: Isaiah Grigsby Date: Tue, 10 Feb 2026 10:42:40 -0600 Subject: [PATCH 3/7] Fix missing @ref in workflow uses reference --- .github/workflows/org-required-trufflehog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/org-required-trufflehog.yml b/.github/workflows/org-required-trufflehog.yml index b633f88..7b3be35 100644 --- a/.github/workflows/org-required-trufflehog.yml +++ b/.github/workflows/org-required-trufflehog.yml @@ -18,7 +18,7 @@ permissions: jobs: secret-scan: name: TruffleHog Secret Scan - uses: grafana/security-github-actions/.github/workflows/reusable-trufflehog.yml + uses: grafana/security-github-actions/.github/workflows/reusable-trufflehog.yml@main with: # Monitoring mode - no blocking, just reporting fail-on-verified: "false" # Don't block on verified secrets (monitoring only) From 6ec860267851d82683adf67195010ee3cfb31e9e Mon Sep 17 00:00:00 2001 From: Isaiah Grigsby Date: Tue, 10 Feb 2026 10:52:38 -0600 Subject: [PATCH 4/7] Add debug step to verify JSON file creation --- .github/workflows/reusable-trufflehog.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/reusable-trufflehog.yml b/.github/workflows/reusable-trufflehog.yml index 27e40c1..db82ea1 100644 --- a/.github/workflows/reusable-trufflehog.yml +++ b/.github/workflows/reusable-trufflehog.yml @@ -188,6 +188,23 @@ jobs: fi } > trufflehog_scan.txt + - name: Verify JSON file exists + if: always() + run: | + if [[ -f "results.json" ]]; then + echo "✅ results.json exists" + echo "File size: $(wc -c < results.json) bytes" + echo "JSON validity check:" + if jq empty results.json 2>/dev/null; then + echo "✅ Valid JSON" + echo "Number of findings: $(jq '. | length' results.json)" + else + echo "❌ Invalid JSON" + fi + else + echo "❌ results.json does not exist" + fi + - name: Upload scan results uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 if: always() From eb3024f054cff601a686d1b09c4f2630cd549b51 Mon Sep 17 00:00:00 2001 From: Isaiah Grigsby Date: Tue, 10 Feb 2026 11:04:21 -0600 Subject: [PATCH 5/7] Point to feature branch for testing JSON artifact --- .github/workflows/org-required-trufflehog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/org-required-trufflehog.yml b/.github/workflows/org-required-trufflehog.yml index 4d09a4b..454f075 100644 --- a/.github/workflows/org-required-trufflehog.yml +++ b/.github/workflows/org-required-trufflehog.yml @@ -18,7 +18,7 @@ permissions: jobs: secret-scan: name: TruffleHog Secret Scan - uses: grafana/security-github-actions/.github/workflows/reusable-trufflehog.yml@main + uses: grafana/security-github-actions/.github/workflows/reusable-trufflehog.yml@feat/upload-trufflehog-json-artifact with: # Monitoring mode - no blocking, just reporting fail-on-verified: "false" # Don't block on verified secrets (monitoring only) From d22eea50d0b95dae3793c4904ab24e76402196b3 Mon Sep 17 00:00:00 2001 From: Isaiah Grigsby Date: Tue, 10 Feb 2026 11:10:20 -0600 Subject: [PATCH 6/7] Fix: Ensure results.json always exists before upload --- .github/workflows/reusable-trufflehog.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/reusable-trufflehog.yml b/.github/workflows/reusable-trufflehog.yml index db82ea1..8c8b164 100644 --- a/.github/workflows/reusable-trufflehog.yml +++ b/.github/workflows/reusable-trufflehog.yml @@ -85,6 +85,9 @@ jobs: # Process results if [[ -s results.ndjson ]]; then grep -v '^$' results.ndjson | jq -s '.' > results.json 2>/dev/null || echo "[]" > results.json + else + # Ensure results.json exists even if no results + echo "[]" > results.json fi # Count secrets @@ -205,6 +208,16 @@ jobs: echo "❌ results.json does not exist" fi + - name: Ensure results.json exists + if: always() + run: | + if [[ ! -f "results.json" ]]; then + echo "[]" > results.json + echo "Created empty results.json" + fi + echo "Files to upload:" + ls -la results.json trufflehog_scan.txt 2>/dev/null || echo "Some files missing" + - name: Upload scan results uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 if: always() From 479b6ce5abc7ed8fc2504d22cfb5bf3ebc565f90 Mon Sep 17 00:00:00 2001 From: Isaiah Grigsby Date: Tue, 10 Feb 2026 11:15:35 -0600 Subject: [PATCH 7/7] Fix: Upload artifacts from directory to ensure both files are included --- .github/workflows/reusable-trufflehog.yml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/.github/workflows/reusable-trufflehog.yml b/.github/workflows/reusable-trufflehog.yml index 8c8b164..d2adb03 100644 --- a/.github/workflows/reusable-trufflehog.yml +++ b/.github/workflows/reusable-trufflehog.yml @@ -208,24 +208,29 @@ jobs: echo "❌ results.json does not exist" fi - - name: Ensure results.json exists + - name: Prepare artifacts for upload if: always() run: | + # Ensure results.json exists if [[ ! -f "results.json" ]]; then echo "[]" > results.json echo "Created empty results.json" fi - echo "Files to upload:" - ls -la results.json trufflehog_scan.txt 2>/dev/null || echo "Some files missing" + + # Create artifacts directory and copy files + mkdir -p trufflehog-artifacts + cp trufflehog_scan.txt trufflehog-artifacts/ 2>/dev/null || echo "trufflehog_scan.txt not found" + cp results.json trufflehog-artifacts/ 2>/dev/null || echo "results.json not found" + + echo "Files in artifacts directory:" + ls -la trufflehog-artifacts/ - name: Upload scan results uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 if: always() with: name: trufflehog_scan - path: | - trufflehog_scan.txt - results.json + path: trufflehog-artifacts/ retention-days: 30 - name: Setup Python for Grafana integration