feat: add global TruffleHog exclusions (#104)

Use TruffleHog's native --exclude-paths flag to exclude common false positives:
- go.sum, go.mod (Go checksums)
- package-lock.json, yarn.lock, pnpm-lock.yaml (Node.js)
- poetry.lock, Pipfile.lock, uv.lock (Python)
- Cargo.lock (Rust)
- Gemfile.lock (Ruby)

Benefits:
- Centrally managed in security-github-actions workflow
- Uses TruffleHog's native exclusion mechanism
- No per-repo configuration needed
- Addresses developer feedback about false positives in lock files

Author: isaiah-grafana

.github/workflows/reusable-trufflehog.yml

@@ -55,6 +55,30 @@ jobs:
           sudo chmod +x /usr/local/bin/trufflehog
           trufflehog --version
 
+      - name: Create global exclusions
+        run: |
+          # Create centralized exclusion patterns for common false positives
+          cat > /tmp/trufflehog-exclude.txt <<'EOF'
+          # Lock files and checksums (contain hashes, not secrets)
+          path:go\.sum$
+          path:go\.mod$
+          # Dependency manifests (contain URLs that trigger false positives)
+          path:package\.json$
+          path:package-lock\.json$
+          path:pnpm-lock\.yaml$
+          path:yarn\.lock$
+          path:poetry\.lock$
+          path:Pipfile\.lock$
+          path:uv\.lock$
+          path:Cargo\.lock$
+          path:Gemfile\.lock$
+          # Grafana plugin metadata
+          path:grafana\.json$
+          EOF
+
+          echo "Created global exclusion patterns:"
+          cat /tmp/trufflehog-exclude.txt
+
       - name: Scan for secrets
         id: scan
         run: |
@@ -68,9 +92,20 @@ jobs:
 
             if [[ -s changed-files.txt ]]; then
               while IFS= read -r file; do
+                # Get just the filename
+                filename=$(basename "$file")
+
+                # Skip excluded files (use case statement for cleaner matching)
+                case "$filename" in
+                  go.sum|go.mod|package.json|package-lock.json|pnpm-lock.yaml|yarn.lock|poetry.lock|Pipfile.lock|uv.lock|Cargo.lock|Gemfile.lock|grafana.json)
+                    echo "Skipping: ${file} (excluded manifest/lock file)"
+                    continue
+                    ;;
+                esac
+
                 if [[ -f "${file}" ]]; then
                   echo "Scanning: ${file}"
-                  trufflehog filesystem "${file}" --json --no-update --results=verified,unverified >> results.ndjson || true
+                  trufflehog filesystem "${file}" --exclude-paths /tmp/trufflehog-exclude.txt --json --no-update --results=verified,unverified >> results.ndjson || true
                 fi
               done < changed-files.txt
             else
@@ -79,7 +114,7 @@ jobs:
           else
             # Push to main: Scan current filesystem
             echo "Scanning current filesystem..."
-            trufflehog filesystem . --json --no-update --results=verified,unverified > results.ndjson || true
+            trufflehog filesystem . --exclude-paths /tmp/trufflehog-exclude.txt --json --no-update --results=verified,unverified > results.ndjson || true
           fi
 
           # Process results