Add TruffleHog shared agentic workflow for secret detection in smoke-codex#29512
Merged
Add TruffleHog shared agentic workflow for secret detection in smoke-codex#29512
Conversation
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/8a417144-bb7c-4a85-b7c3-b834d4d9dcc2 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/8a417144-bb7c-4a85-b7c3-b834d4d9dcc2 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
pelikhan
May 1, 2026 10:11
View session
pelikhan
reviewed
May 1, 2026
| if-no-files-found: ignore | ||
| --- | ||
|
|
||
| # TruffleHog Secret Detection |
| @@ -0,0 +1,173 @@ | |||
| --- | |||
| safe-outputs: | |||
| threat-detection: | |||
Collaborator
There was a problem hiding this comment.
@copilot run in separate job, needs detection and report failure to conclusion using some kind of extensible way to generate an agenti failure issue/comment
Contributor
Author
There was a problem hiding this comment.
Restructured in 97bd71b. TruffleHog now runs as a dedicated trufflehog_scan job with needs: [agent, detection] (agent is required explicitly to prevent the compiler from auto-adding the job as an agent pre-dependency, which would create a cycle). The extensible failure reporting is via jobs.conclusion.pre-steps: when secrets are found, a GitHub issue titled 🔐 Secrets detected in workflow run: … is created with the affected locations and a link to the trufflehog-scan-results artifact. Other security tools can follow the same pattern (separate job + conclusion pre-step) without any compiler changes.
…ocs, conclusion pre-steps Agent-Logs-Url: https://github.com/github/gh-aw/sessions/43f96f09-1577-4259-a542-a2ee8452ef7c Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…sue URL Agent-Logs-Url: https://github.com/github/gh-aw/sessions/43f96f09-1577-4259-a542-a2ee8452ef7c Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a reusable TruffleHog-based secret scanning job to the smoke-codex agentic workflow suite, and wires its failure into the conclusion job for issue reporting.
Changes:
- Introduces a new shared workflow import
shared/trufflehog.mdthat runs TruffleHog scans over workflow artifacts and fails on detections. - Updates
smoke-codexto import the new shared TruffleHog workflow. - Recompiles
smoke-codex.lock.ymlto include the newtrufflehog_scanjob and conclusion pre-step reporting.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/shared/trufflehog.md | New shared workflow defining trufflehog_scan job + conclusion pre-step for secret detection reporting. |
| .github/workflows/smoke-codex.md | Adds the new shared/trufflehog.md import to enable TruffleHog scanning in smoke-codex. |
| .github/workflows/smoke-codex.lock.yml | Recompiled lock output including the new job and conclusion pre-step integration. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comments suppressed due to low confidence (2)
.github/workflows/shared/trufflehog.md:80
- Same issue as the agent-output scan: non-zero exit codes other than 183 are ignored (and stderr is suppressed), so scan failures can be misreported as clean. Consider failing the job (or surfacing an explicit scan_error output) when TruffleHog returns an error code other than 0/183.
trufflehog filesystem "$SCAN_DIR" --json --no-update --fail 2>/dev/null | tee "$OUTPUT_FILE" || SCAN_EXIT=${PIPESTATUS[0]}
SCAN_EXIT=${SCAN_EXIT:-0}
.github/workflows/shared/trufflehog.md:99
- Same issue as the other scan steps: errors from TruffleHog (exit code other than 0/183) are currently swallowed due to
continue-on-error: trueand lack of error handling, which can yield false negatives. Treat scan errors as failures (and don’t discard stderr) to ensure secrets scanning is reliable.
echo "Scanning repo-memory in $SCAN_DIR"
trufflehog filesystem "$SCAN_DIR" --json --no-update --fail 2>/dev/null | tee "$OUTPUT_FILE" || SCAN_EXIT=${PIPESTATUS[0]}
SCAN_EXIT=${SCAN_EXIT:-0}
- Files reviewed: 3/3 changed files
- Comments generated: 3
Comment on lines
+13
to
+33
| - name: Download agent output artifact | ||
| id: download-agent | ||
| continue-on-error: true | ||
| uses: actions/download-artifact@v8 | ||
| with: | ||
| name: agent | ||
| path: /tmp/gh-aw | ||
|
|
||
| - name: Download cache-memory artifact | ||
| id: download-cache-memory | ||
| continue-on-error: true | ||
| uses: actions/download-artifact@v8 | ||
| with: | ||
| name: cache-memory | ||
| path: /tmp/gh-aw/cache-memory | ||
|
|
||
| - name: Download repo-memory artifact | ||
| id: download-repo-memory | ||
| continue-on-error: true | ||
| uses: actions/download-artifact@v8 | ||
| with: |
| TRUFFLEHOG_VERSION: "3.88.27" | ||
| run: | | ||
| echo "Installing TruffleHog v${TRUFFLEHOG_VERSION}..." | ||
| curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin "v${TRUFFLEHOG_VERSION}" |
Comment on lines
+48
to
+87
| continue-on-error: true | ||
| run: | | ||
| mkdir -p /tmp/gh-aw/trufflehog | ||
| SCAN_DIR="/tmp/gh-aw" | ||
| OUTPUT_FILE="/tmp/gh-aw/trufflehog/agent-output-results.jsonl" | ||
| if [ -d "$SCAN_DIR" ] && find "$SCAN_DIR" -mindepth 1 -maxdepth 1 -quit 2>/dev/null | grep -q .; then | ||
| echo "Scanning agent output in $SCAN_DIR" | ||
| trufflehog filesystem "$SCAN_DIR" \ | ||
| --json --no-update --fail \ | ||
| --exclude-paths /tmp/gh-aw/cache-memory \ | ||
| --exclude-paths /tmp/gh-aw/repo-memory \ | ||
| --exclude-paths /tmp/gh-aw/trufflehog \ | ||
| 2>/dev/null | tee "$OUTPUT_FILE" || SCAN_EXIT=${PIPESTATUS[0]} | ||
| SCAN_EXIT=${SCAN_EXIT:-0} | ||
| else | ||
| echo "Agent output directory is empty or missing, skipping" | ||
| SCAN_EXIT=0 | ||
| fi | ||
| if [ "$SCAN_EXIT" -eq 183 ]; then | ||
| echo "secrets_found=true" >> "$GITHUB_OUTPUT" | ||
| fi | ||
|
|
||
| - name: Scan cache-memory for secrets | ||
| id: scan-cache-memory | ||
| continue-on-error: true | ||
| run: | | ||
| mkdir -p /tmp/gh-aw/trufflehog | ||
| SCAN_DIR="/tmp/gh-aw/cache-memory" | ||
| OUTPUT_FILE="/tmp/gh-aw/trufflehog/cache-memory-results.jsonl" | ||
| if [ -d "$SCAN_DIR" ] && find "$SCAN_DIR" -mindepth 1 -maxdepth 1 -quit 2>/dev/null | grep -q .; then | ||
| echo "Scanning cache-memory in $SCAN_DIR" | ||
| trufflehog filesystem "$SCAN_DIR" --json --no-update --fail 2>/dev/null | tee "$OUTPUT_FILE" || SCAN_EXIT=${PIPESTATUS[0]} | ||
| SCAN_EXIT=${SCAN_EXIT:-0} | ||
| else | ||
| echo "cache-memory directory is empty or missing, skipping" | ||
| SCAN_EXIT=0 | ||
| fi | ||
| if [ "$SCAN_EXIT" -eq 183 ]; then | ||
| echo "secrets_found=true" >> "$GITHUB_OUTPUT" | ||
| fi |
Collaborator
|
@copilot merge main and recompile |
…g-secret-detection # Conflicts: # .github/workflows/smoke-codex.lock.yml Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/bba9fa15-76e4-4647-8ecc-eea1a79bc66d Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Done in b493ca6 — merged Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Contributor
|
|
Contributor
|
|
Contributor
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Contributor
|
🚀 Smoke OpenCode MISSION COMPLETE! OpenCode delivered. 🔥 |
Contributor
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
Contributor
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
Contributor
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
Contributor
|
Codex smoke: FAIL Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "ab.chatgpt.com"
- "chatgpt.com"See Network Configuration for more information.
|
Contributor
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "ab.chatgpt.com"
- "chatgpt.com"See Network Configuration for more information.
|
Contributor
|
Commit pushed:
|
Contributor
|
👻 The smoke test agent was here! Passing through like a friendly ghost in the machine. All systems nominal, all tests run, nothing to see here... except maybe some ✅ vibes! 🤖💨
|
Contributor
|
🎉 Smoke test complete! The Copilot agent swooped in, ran all the tests, found 8 Config symbols in your Go codebase, built the binary successfully, and is now moonwalking out the door. See you next run! 🕺🤖
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Reviewed PR #29512: Add TruffleHog shared agentic workflow. The implementation looks solid - clean separation as a shared workflow, proper artifact downloading, and good use of continue-on-error for resilience. Left 2 inline comments on minor improvement opportunities.
📰 BREAKING: Report filed by Smoke Copilot · ● 1.3M
| runs-on: ubuntu-latest | ||
| needs: [agent, detection] | ||
| if: always() && needs.agent.result != 'skipped' && needs.detection.result != 'skipped' | ||
| permissions: |
Contributor
There was a problem hiding this comment.
The if: always() condition is good, but consider also checking needs.agent.outputs.artifact_uploaded == true to avoid wasted scans when no artifact was produced.
| - shared/gh.md | ||
| - shared/reporting-otlp.md | ||
| - shared/mcp/serena-go.md | ||
| - shared/trufflehog.md |
Contributor
There was a problem hiding this comment.
Adding shared/trufflehog.md as an import is clean. Make sure any required secrets (e.g., GITHUB_TOKEN) are documented in the workflow's secrets section.
Contributor
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
Contributor
💥 Smoke Test Results — Run 25212030870Status: PARTIAL (15✅ 2❌ 2 Core (#1–12): ✅✅ PR Review (#13–19): ✅ Failures: mcpscripts
|
Contributor
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal! (Run 25212030870)
💥 [THE END] — Illustrated by Smoke Claude · ● 283.7K
| jobs: | ||
| trufflehog_scan: | ||
| runs-on: ubuntu-latest | ||
| needs: [agent, detection] |
Contributor
There was a problem hiding this comment.
🔬 Smoke Test Review Comment — The needs: [agent, detection] dependency ensures TruffleHog runs only after the agent has produced its output artifacts. This is a sound pattern for security scanning jobs. Consider also adding update_cache_memory to needs if cache artifacts need scanning, or document why they're excluded.
| if: always() && needs.trufflehog_scan.result == 'failure' && needs.trufflehog_scan.outputs.secrets_found == 'true' | ||
| continue-on-error: true | ||
| uses: actions/github-script@v9 | ||
| env: |
Contributor
There was a problem hiding this comment.
🔬 Smoke Test Review Comment — The if: always() guard on the Upload step ensures scan results are preserved even when the evaluate step exits with code 1. This is excellent practice for post-failure forensics. The if-no-files-found: ignore option also prevents false failures when scanned directories were empty.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a new shared agentic workflow
shared/trufflehog.mdthat integrates TruffleHog secret scanning as a dedicated separate job that runs after the detection job. The workflow is imported intosmoke-codex.Changes
New:
.github/workflows/shared/trufflehog.mdA reusable shared workflow that adds a
trufflehog_scanjob to any workflow that imports it:trufflehog_scan— runs afteragentanddetectioncomplete (needs: [agent, detection])agent,cache-memory, andrepo-memoryartifacts (continue-on-error: true)/tmp/gh-aw/(agent output and code patches)/tmp/gh-aw/cache-memory//tmp/gh-aw/repo-memory/secrets_found=trueoutput and fails the job (exit 1) if secrets are detectedtrufflehog-scan-resultsartifactMarkdown documentation is wrapped in
<!-- ... -->XML comments.Modified:
.github/workflows/smoke-codex.mdAdded
- shared/trufflehog.mdto the imports list.Recompiled:
.github/workflows/smoke-codex.lock.ymlLock file recompiled to include the new
trufflehog_scanjob and conclusion pre-step.How secrets notify the conclusion job
When TruffleHog detects secrets, the
trufflehog_scanjob fails. The conclusion job automatically depends on all jobs (viaensureConclusionIsLastJob) and runs a dedicated pre-step "Report TruffleHog secret scan failure" that:needs.trufflehog_scan.result == 'failure' && needs.trufflehog_scan.outputs.secrets_found == 'true'🔐 Secrets detected in workflow run: <name> #<run>with the affected locations, run URL, and instructions to rotate credentialsThis is an extensible pattern: other security tools can follow the same approach (separate job +
jobs.conclusion.pre-stepsentry) without any compiler changes.Usage in other workflows
Changeset
Warning
Firewall blocked 2 domains
The following domains were blocked by the firewall during workflow execution:
ab.chatgpt.comchatgpt.comSee Network Configuration for more information.
✨ PR Review Safe Output Test - Run 25212030870