[codex] Add secret scanning guardrail

[authenticarc]

/claim #55

Summary

• add a TruffleHog GitHub Actions workflow for pull requests and pushes to master
• scan only the new PR/push change range for verified secrets, so existing remediation work is not blocked by legacy findings already being cleaned up in separate PRs
• document the maintainer-side GitHub secret scanning and push protection settings
• narrowly unignore .github/workflows/*.yml so the workflow can be tracked without opening up all .github/ files

Scope

This is a non-overlapping Phase 9 guardrail slice. It does not touch AWS/IAM, live buckets, bucket policies, candidate data, existing credential values, or the Civil ID/S3/SQS/MediaConvert/SES/Xero slices already covered by other PRs.

Validation

• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/secret-scan.yml"); puts "yaml ok"'
• git diff --cached --check

I did not include a live-data demo because this PR is CI/docs-only and intentionally avoids authenticated production flows, AWS resources, candidate records, or secret values.

Summary by CodeRabbit

• Documentation

  • Added security guidance describing repository secret-scanning behavior and how to handle detections.

• Chores

  • Enabled automated secret-scanning in CI for pull requests and main-branch pushes.
  • Ensured repository workflow configurations are tracked so scans run as intended.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 52241dc5-cc32-4ae9-b4d8-63719aae46dd

📥 Commits

Reviewing files that changed from the base of the PR and between 28a9dff and bb22ac8.

📒 Files selected for processing (1)

• .github/workflows/secret-scan.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/secret-scan.yml

---

📝 Walkthrough

Walkthrough

Adds repository secret-scanning: a GitHub Actions workflow that runs TruffleHog on PRs, master pushes, and manual runs; updates .gitignore to track workflow files; and adds docs describing the workflow scope and incident response steps.

Changes

Secret Scanning Implementation

Layer / File(s)	Summary
Workflow: trigger and job .github/workflows/secret-scan.yml	New GitHub Actions workflow triggered on pull_request, push (master), and workflow_dispatch; runs trufflesecurity/trufflehog@v3.95.3 with event-specific base/head and --results=verified.
Checkout and permissions .github/workflows/secret-scan.yml	Checks out repo with fetch-depth: 0 (full history) and grants minimal permissions (contents: read).
Repository ignore rules .gitignore	Added negation patterns to ensure .github/, .github/workflows/, and workflow YAML files are tracked.
Documentation and response guidance docs/security/secret-scanning.md	New documentation describing the workflow scope, maintainer enablement steps for GitHub Secret Scanning & Push Protection, and detection handling/redaction guidance.

Sequence Diagram

sequenceDiagram
  participant GH as GitHub (event)
  participant Runner as Actions Runner
  participant Truffle as TruffleHog
  participant Maint as Maintainer

  GH->>Runner: push / pull_request / manual dispatch
  Runner->>Runner: checkout repo (fetch-depth: 0)
  Runner->>Truffle: run scan (base/head per event, --results=verified)
  Truffle-->>Runner: scan results (verified)
  Runner->>GH: write workflow logs/artifacts
  alt verified findings
    GH->>Maint: alert / workflow output references (no raw secret)
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 I hop through commits with a nose so keen,
Sniffing for secrets where they might have been,
TruffleHog helps me dig, but shows only the key,
Keep workflows in sight and safe we will be! 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title '[codex] Add secret scanning guardrail' directly and accurately summarizes the main change: adding a secret scanning security guardrail via a GitHub Actions workflow, documentation, and .gitignore update.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/secret-scan.yml (1)

46-47: 💤 Low value

Consider using github.sha instead of github.ref_name for consistency.

For new branch tips, the head parameter uses github.ref_name (the branch name) while other steps use SHAs. TruffleHog likely accepts both, but using github.sha would be more consistent with the other scan steps and explicitly references the commit SHA.

♻️ Proposed change for consistency

       - name: Scan new branch tip
         if: github.event_name == 'push' && github.event.before == '0000000000000000000000000000000000000000'
         uses: trufflesecurity/trufflehog@v3.95.3
         with:
           path: ./
           base: ""
-          head: ${{ github.ref_name }}
+          head: ${{ github.sha }}
           extra_args: --results=verified

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/secret-scan.yml around lines 46 - 47, Replace the head
value that currently uses github.ref_name with github.sha to make the TruffleHog
scan use the commit SHA consistently; update the line containing head: ${{
github.ref_name }} to head: ${{ github.sha }} so it matches other scan steps and
explicitly references the commit SHA.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/secret-scan.yml:
- Around line 46-47: Replace the head value that currently uses github.ref_name
with github.sha to make the TruffleHog scan use the commit SHA consistently;
update the line containing head: ${{ github.ref_name }} to head: ${{ github.sha
}} so it matches other scan steps and explicitly references the commit SHA.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: df05c204-6fce-4850-b462-dae65ebfe5fb

📥 Commits

Reviewing files that changed from the base of the PR and between 7b023ff and 28a9dff.

📒 Files selected for processing (3)

• .github/workflows/secret-scan.yml
• .gitignore
• docs/security/secret-scanning.md

[authenticarc]

Thanks for the review pass. I addressed the CodeRabbit consistency nit in bb22ac8 and both GitGuardian and CodeRabbit are green again.

This remains a CI/docs-only Phase 9 guardrail slice. I did not include a video because there is no user-facing flow and the PR intentionally avoids live AWS/IAM, bucket policy, candidate data, or secret values. If you need a different proof format for this guardrail slice, I can add one.