Skip to content

feat: secrets detection — PR scan #24

Open
Feature
Open
feat: secrets detection — PR scan#24
Feature
Assignees
ms280690
Labels
documentationImprovements or additions to documentationenhancementNew feature or requestpriority: highHigh priority issuesecurity
@ms280690

Description

@ms280690
ms280690
opened on May 21, 2026

Context

Stage: PR / CI
Tool: trufflehog
Parent: #4

Why trufflehog

At PR time the goal shifts from pattern detection to verified active-secret detection — confirming that a matched credential is genuinely live before blocking, which minimises false-positive noise:

  • Attempts live verification of matched credentials against their target service (AWS, GitHub, Slack, etc.) — only flags secrets that are confirmed active
  • Scans the full git history of the PR branch, not just the diff — catches secrets introduced and then "deleted" in a later commit (they still exist in history)
  • SARIF output integrates with GitHub Advanced Security — findings appear inline on the PR diff and in the Security tab
  • Verification behaviour is configurable: --only-verified for strict mode, --no-verification for air-gapped environments

gitleaks (#23) catches patterns fast at pre-commit. trufflehog at PR confirms which of those (and anything that slipped through) are real, live credentials — reducing alert fatigue for reviewers.

Reusable workflow — secrets-scan.yml

name: Secrets PR Scan
on:
  workflow_call:
    inputs:
      only-verified:
        description: 'Only fail on verified active secrets (reduces false positives)'
        default: true
        type: boolean
      sarif-upload:
        description: 'Upload SARIF results to GitHub Security tab'
        default: true
        type: boolean

Consuming repo usage

# .github/workflows/secrets.yml
name: Secrets Detection
on: [pull_request]
jobs:
  gitleaks:
    uses: sparkgeo/github-actions/.github/workflows/secrets-precommit.yml@main  # #23

  trufflehog:
    uses: sparkgeo/github-actions/.github/workflows/secrets-scan.yml@main
    permissions:
      security-events: write   # required for SARIF upload

Gate behaviour (§5.5 alignment)

Finding PR behaviour
Verified active secret Hard-blocks merge immediately
Unverified pattern match Warning only (surfaced in Security tab)

Aligned with the §5.5 CI/CD gate: "Secret exposure always hard-blocks" regardless of environment.

Rotation procedure

When a verified secret is detected:

  1. Revoke immediately — do not wait for the PR to be closed
  2. Rotate the credential at the source (AWS IAM, GitHub PAT settings, etc.)
  3. Remove from git history via git filter-repo or BFG Repo Cleaner
  4. Force-push the cleaned history (coordinate with team)
  5. Open a TheHive case if the secret was live for >1 hour (cross-ref Step 1 §5.5 SLA: revoke within 1 hour)

Metadata

Metadata

Assignees

Labels

documentationImprovements or additions to documentationenhancementNew feature or requestpriority: highHigh priority issuesecurity

Type

Feature

Fields

No fields configured for Feature.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions