From 0eb2070f5aac72a9645e0f95728050e357805913 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 8 Mar 2026 19:20:36 +0000
Subject: [PATCH 1/3] Initial plan


From 1344aa3d0b2b0aaf921caff390a9240e11ee4631 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 8 Mar 2026 19:24:07 +0000
Subject: [PATCH 2/3] feat: add secret scanning workflow and update security
 docs

Co-authored-by: jrodeiro5 <165810055+jrodeiro5@users.noreply.github.com>
---
 .github/workflows/secret-scanning.yml | 25 +++++++++++++++++++++++++
 SECURITY.md                           |  4 ++++
 2 files changed, 29 insertions(+)
 create mode 100644 .github/workflows/secret-scanning.yml

diff --git a/.github/workflows/secret-scanning.yml b/.github/workflows/secret-scanning.yml
new file mode 100644
index 0000000..dcc701a
--- /dev/null
+++ b/.github/workflows/secret-scanning.yml
@@ -0,0 +1,25 @@
+name: "Secret Scanning"
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  secret-scan:
+    name: Scan for Secrets
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: TruffleHog Secret Scan
+        uses: trufflesecurity/trufflehog@v3.88.0
+        with:
+          extra_args: --results=verified,unknown
diff --git a/SECURITY.md b/SECURITY.md
index 6ffc2c1..71fc0d8 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -78,6 +78,10 @@ We follow responsible disclosure practices:
 5. **Release** → We deploy the fix and notify affected users
 6. **Disclosure** → We publicly disclose the issue after users have had time to update
 
+## 🔍 Automated Secret Scanning
+
+All pushes to `main` and pull requests are automatically scanned for sensitive data using [TruffleHog](https://github.com/trufflesecurity/trufflehog). This ensures that secrets such as API keys, tokens, passwords, and private keys are never committed to the repository.
+
 ## 📋 Security Checklist for Contributors
 
 If you're contributing to Addocu, please ensure:

From 120be819b98aeff3d491b75dcf05913ad1d949e0 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 8 Mar 2026 19:25:15 +0000
Subject: [PATCH 3/3] refine: remove results filter for comprehensive secret
 scanning

Co-authored-by: jrodeiro5 <165810055+jrodeiro5@users.noreply.github.com>
---
 .github/workflows/secret-scanning.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/secret-scanning.yml b/.github/workflows/secret-scanning.yml
index dcc701a..cab663c 100644
--- a/.github/workflows/secret-scanning.yml
+++ b/.github/workflows/secret-scanning.yml
@@ -21,5 +21,3 @@ jobs:
 
       - name: TruffleHog Secret Scan
         uses: trufflesecurity/trufflehog@v3.88.0
-        with:
-          extra_args: --results=verified,unknown