Update README.md. Version 1.0.28 #781
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| push: | |
| name: Secret Leaks | |
| jobs: | |
| trufflehog: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Secret Scanning | |
| uses: trufflesecurity/trufflehog@6bd2d14f7a4bc1e569fa3550efa7ec632a4fa67b # main | |
| with: | |
| # Only fail on verified secrets. Avoids CI breakage from unverified false positives | |
| # (e.g. high-entropy base64 blobs in old notebook output cells) surfaced by full-tree | |
| # scans when scanner detectors change. See PR #2708 discussion. | |
| # 'unknown' = real candidates whose live verification errored (e.g. provider | |
| # unreachable), so we still fail on maybe-real secrets; 'unverified' (the noisy | |
| # false-positive bucket) is deliberately excluded. | |
| # NOTE: use --results=..., not the deprecated/undocumented --only-verified alias. | |
| extra_args: --results=verified,unknown |