Skip to content

chore(deps): bump trufflesecurity/trufflehog from 3.95.3 to 3.95.5#42

Merged
steipete merged 2 commits into
mainfrom
dependabot/github_actions/trufflesecurity/trufflehog-3.95.5
Jun 5, 2026
Merged

chore(deps): bump trufflesecurity/trufflehog from 3.95.3 to 3.95.5#42
steipete merged 2 commits into
mainfrom
dependabot/github_actions/trufflesecurity/trufflehog-3.95.5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 4, 2026

Copy link
Copy Markdown
Contributor

Bumps trufflesecurity/trufflehog from 3.95.3 to 3.95.5.

Release notes

Sourced from trufflesecurity/trufflehog's releases.

v3.95.5

What's Changed

New Contributors

Full Changelog: trufflesecurity/trufflehog@v3.95.3...v3.95.5

v3.95.4

What's Changed

... (truncated)

Commits
  • d411fff feat(apk): adds some debugging info for APKs and fixes issues parsing obfusca...
  • 26eae1f [SCAN-795] HTML decoder: ASPX and entity-encoded HTML support (#4981)
  • 6c8f640 Added source config flags to sharepoint proto (#4972)
  • 9f0b97f Update CODEOWNERS: replace 5 slugs with scanning + integrations (#4983)
  • 36f6f69 Pin GitHub Actions to SHA digests (#4985)
  • 52ebebb Update Go security dependencies (#4986)
  • ec67ff2 Add feature flags for Pinecone, Cloudinary, and GitLab OAuth detectors (#4961)
  • 0ec3634 Fix line numbers for duplicate secrets within a chunk (#4910)
  • 79acbf4 Remove over speculation from Corpora CI workflow (#4974)
  • d86254e feat: add host, db and username to ExtraData for database detectors (#4849)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog) from 3.95.3 to 3.95.5.
- [Release notes](https://github.com/trufflesecurity/trufflehog/releases)
- [Commits](trufflesecurity/trufflehog@v3.95.3...v3.95.5)

---
updated-dependencies:
- dependency-name: trufflesecurity/trufflehog
  dependency-version: 3.95.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 4, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 4, 2026 01:12
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 4, 2026
@github-actions github-actions Bot added the chore label Jun 4, 2026
@clawsweeper

clawsweeper Bot commented Jun 4, 2026

Copy link
Copy Markdown

Codex review: needs maintainer review before merge. Reviewed June 5, 2026, 3:08 PM ET / 19:08 UTC.

Summary
The branch updates .github/workflows/secret-scan.yml to trufflesecurity/trufflehog@v3.95.5 and bumps the go.mod directive from 1.26.3 to 1.26.4.

Reproducibility: not applicable. this is a dependency maintenance PR, not a bug report. Source inspection verifies main still uses the old TruffleHog action tag and Go directive while the PR changes both.

Review metrics: 2 noteworthy metrics.

  • Changed surface: 2 files changed, 2 additions, 2 deletions. The PR is small, but it touches both CI secret scanning and the module Go directive.
  • PR-head checks: 11 successful, 1 skipped. The changed action and Go directive have run through the repository's current automated checks.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • none.

Risk before merge

  • [P1] Merging changes the third-party action code executed by the secret-scanning workflow from v3.95.3 to v3.95.5; passing PR checks reduce but do not eliminate that automation runtime decision.
  • [P1] The branch also changes the Go directive from 1.26.3 to 1.26.4, so maintainers should be comfortable landing that toolchain patch bump with this dependency PR.

Maintainer options:

  1. Merge with current workflow validation (recommended)
    Accept the routine GitHub Actions update risk because the PR head's CI and secret-scanning checks are green.
  2. Pause for immutable action policy
    If maintainers want action refs pinned by digest, pause this PR and decide that workflow policy before merging further action updates.

Next step before merge

  • [P2] Maintainers should decide whether to accept the routine workflow action and Go directive update risk; no repair lane is needed.

Security
Cleared: No concrete security or supply-chain regression was found: the workflow triggers, permissions, and secrets stay unchanged, and the updated checks succeeded.

Review details

Best possible solution:

Merge the narrow dependency/toolchain bump if required checks remain green, and handle any digest-pinning or Go-version policy separately.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a dependency maintenance PR, not a bug report. Source inspection verifies main still uses the old TruffleHog action tag and Go directive while the PR changes both.

Is this the best way to solve the issue?

Yes: updating the existing workflow uses: ref is the narrow fix for this action bump, and the Go directive patch bump is small; maintainers can split the Go bump only if they want stricter PR scope.

AGENTS.md: not found in the target repository.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5b2af061b057.

Label changes

Label justifications:

  • P3: This is a low-risk routine dependency/toolchain maintenance PR with a small diff and green checks.
  • merge-risk: 🚨 automation: The PR changes the third-party action version executed by the secret-scanning workflow, which can affect CI behavior after merge.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Contributor-run real behavior proof is not required for this Dependabot-style automation dependency PR; the relevant validation is the successful PR-head checks.
Evidence reviewed

What I checked:

  • Current main workflow state: The default branch still invokes trufflesecurity/trufflehog@v3.95.3, so the requested action bump is not already implemented on main. (.github/workflows/secret-scan.yml:52, 5b2af061b057)
  • Current main Go directive: The default branch still declares go 1.26.3, matching the PR's base-side diff. (go.mod:3, 5b2af061b057)
  • PR diff surface: GitHub reports two changed files: the TruffleHog action tag changes from v3.95.3 to v3.95.5, and go.mod changes from Go 1.26.3 to 1.26.4. (50f28eb45e76)
  • PR validation: The PR head has successful CI, CodeQL, Socket, release-check, and secret-scan check runs; the only skipped check is the release draft update. (50f28eb45e76)
  • Workflow provenance: Blame ties the current secret-scanning workflow, including the TruffleHog step, to the v0.4.0 import commit. (.github/workflows/secret-scan.yml:52, 265084edc74d)
  • Go module history: Recent main history shows steipete has been changing go.mod and go.sum dependency state, while the PR head adds the Go directive patch bump as a separate commit. (go.mod:3, 7d5f4a2acc48)

Likely related people:

  • vincentkoc: Git blame ties the current .github/workflows/secret-scan.yml TruffleHog step to the v0.4.0 import commit, and the PR is assigned to this GitHub user. (role: workflow introducer; confidence: high; commits: 265084edc74d; files: .github/workflows/secret-scan.yml)
  • steipete: Recent main commits changed go.mod and go.sum, and the PR head's added Go directive bump is in the same module-maintenance area. (role: recent Go module contributor; confidence: medium; commits: 67ecc61efe68, 7d5f4a2acc48, 50f28eb45e76; files: go.mod, go.sum)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. merge-risk: 🚨 automation 🚨 Merging this PR could break CI, automerge, proof capture, label sync, or automation. labels Jun 4, 2026
@steipete steipete merged commit 5efced2 into main Jun 5, 2026
12 checks passed
@steipete steipete deleted the dependabot/github_actions/trufflesecurity/trufflehog-3.95.5 branch June 5, 2026 19:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

chore dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code merge-risk: 🚨 automation 🚨 Merging this PR could break CI, automerge, proof capture, label sync, or automation. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants