feat(trufflehog): global exclude file, vendor skip, org wrapper comments#137
Draft
isaiah-grafana wants to merge 13 commits intomainfrom
Draft
feat(trufflehog): global exclude file, vendor skip, org wrapper comments#137isaiah-grafana wants to merge 13 commits intomainfrom
isaiah-grafana wants to merge 13 commits intomainfrom
Conversation
- Add trufflehog/global-exclude.txt as single place to edit shared patterns - Fetch excludes via sparse checkout of security-github-actions (ref main) - Copy to /tmp for TruffleHog; exclude .trufflehog-shared from scans - Skip vendor/ paths in PR changed-file loop - Fix org-required-trufflehog.yml comments to match fail-on flags Made-with: Cursor
…ack) - Drop sparse checkout + sed; fetch global-exclude.txt via GitHub API then raw URL - Fallback heredoc matches trufflehog/global-exclude.txt when both fail - Remove obsolete .trufflehog-shared exclude; clarify how to edit org-wide patterns Made-with: Cursor
… FPs) Made-with: Cursor
- Add Python helper to classify paths vs exclude file (mirrors workflow rules) - PR: print exclusion report before scan; skip exclude-regex paths with reason - Push: sample tracked paths matching exclude regexes before full scan Made-with: Cursor
…ite dashboards) Made-with: Cursor
TruffleHog often sees repo-relative paths like ./content/grafana/...; (^|[/\\])content did not match. Use (^|\.\/|[/\\]) for segment boundary. Made-with: Cursor
- Add trufflehog/prefixes.txt (plain directory prefixes) and build_exclude_file.py - Regenerate global-exclude.txt; workflow can rebuild from script+prefixes if artifact missing - Last-resort heredoc synced to builder output; STATIC_PATTERNS live in the script Made-with: Cursor
Made-with: Cursor
… no ?.) jq has no !(); negation is (...)|not. Optional chaining ?. needs jq 1.7+. Fixes jq compile error after verified secret in PR scan. Made-with: Cursor
Made-with: Cursor
Remove vendor and content/about/404.md from generated excludes; lockfile patterns unchanged in build_exclude_file.py. Made-with: Cursor
…ile, merge main - Prefer fetch build_exclude_file.py + prefixes.txt and run Python (source of truth) - global-exclude.txt is optional snapshot; document one-step flow in prefixes.txt Made-with: Cursor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Made-with: Cursor