secrets-scanning.yml

name: TruffleHog Scan

on:
  push:
    branches:
      - main
      - master
  pull_request:

env:
  DEPTH: 2
  branch: main

jobs:
  SecurityScan:
    runs-on: ubuntu-latest
    steps:
      - name: shallow clone 
        shell: bash
        run: |
          if [ "${{ github.event_name }}" == "push" ]; then
            echo "depth=$(($(jq length <<< '${{ toJson(github.event.commits) }}') + 2))" >> $GITHUB_ENV
            echo "branch=${{ github.ref_name }}" >> $GITHUB_ENV
          fi
          if [ "${{ github.event_name }}" == "pull_request" ]; then
            echo "depth=$((${{ github.event.pull_request.commits }}+2))" >> $GITHUB_ENV
            echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
          fi

      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
        with:
          ref: ${{env.branch}}
          fetch-depth: ${{env.depth}}

      - uses: trufflesecurity/trufflehog@d0d59c2e77cbdddf892c1b8c61b8c94b461d7f92 # v3.72.0
        with:
          extra_args: --only-verified