Skip to content

ci(security): pin trufflesecurity/trufflehog@v3.88.18#4

Open
gapview01 wants to merge 1 commit into
mainfrom
iac/pin-trufflehog-v3.88.18
Open

ci(security): pin trufflesecurity/trufflehog@v3.88.18#4
gapview01 wants to merge 1 commit into
mainfrom
iac/pin-trufflehog-v3.88.18

Conversation

@gapview01
Copy link
Copy Markdown
Member

@gapview01 gapview01 commented May 11, 2026

Summary

  • Pin trufflesecurity/trufflehog@main@v3.88.18 in .github/workflows/*.yml
  • Closes operational risk surfaced by goblin_ui PR #425 on 2026-05-11 (502 pulling trufflehog:latest)
  • iac fleet sweep per po/docs/audits/pre-commit-hooks-bug-review-001.md v7 #42

Test plan

  • CI run on this PR proves the pinned tag resolves
  • Same @v3.88.18 adopted by goblin_ui (PR #425) + goblin_bot (PR #13354) + coordinator (PR #1701) + goblin_infra (this sweep)

🤖 Generated with Claude Code

@gapview01
ci(security): pin trufflesecurity/trufflehog@v3.88.18
231d04c 
@main was unstable: 2026-05-11 goblin_ui PR #425 hit a 502 pulling
trufflehog:latest, breaking the security/secrets job. Pin to v3.88.18
(same version goblin_ui and goblin_bot adopted) so the fleet's
secret-scan job has a deterministic image source.

iac fleet sweep per po/docs/audits/pre-commit-hooks-bug-review-001.md v7 #42.

Dispatched-By: iac
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 231d04c353

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/ci.yml
Comment on lines +89 to 91
uses: trufflesecurity/trufflehog@v3.88.18
with:
extra_args: --only-verified
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Pin the TruffleHog CLI image as well

This pins the composite action wrapper, but the v3.88.18 action still defaults its version input to latest and runs ghcr.io/trufflesecurity/trufflehog:${VERSION}; I checked https://raw.githubusercontent.com/trufflesecurity/trufflehog/v3.88.18/action.yml. In the security/secrets job, because no version: is supplied under with:, CI will continue pulling the mutable trufflehog:latest image, so the 502/immutability risk this commit is meant to remove remains. Add version: 3.88.18 (or another pinned image tag) alongside extra_args.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gapview01