From 346da7b11f27092778782ef6e68b7f33079ef803 Mon Sep 17 00:00:00 2001
From: Peter Kazazes <peter@picogrid.com>
Date: Wed, 27 Aug 2025 17:46:14 -0700
Subject: [PATCH] Update TruffleHog workflow for PR scanning

---
 .github/workflows/trufflehog.yml | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml
index da6161d..53b98f7 100644
--- a/.github/workflows/trufflehog.yml
+++ b/.github/workflows/trufflehog.yml
@@ -1,23 +1,36 @@
 name: trufflehog-scan
+
 on:
   pull_request_target:
     types: [opened, synchronize, reopened, ready_for_review]
+
 permissions:
   contents: read
+
 jobs:
   trufflehog:
     name: TruffleHog Secret Scan
     runs-on: ubuntu-latest
+
     steps:
-      - name: Checkout PR HEAD (no credentials)
+      # Check out the PR's HEAD from the source repo (works for forks), no token persisted
+      - name: Checkout PR HEAD (fork-safe)
         uses: actions/checkout@v4
         with:
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.sha }}
           persist-credentials: false
+          fetch-depth: 0
+
+      # Ensure the base commit exists locally for the diff
+      - name: Fetch base commit
+        run: |
+          git fetch --no-tags --prune --depth=1 origin +${{ github.event.pull_request.base.sha }}:refs/heads/__base
+
+      # Run TruffleHog on the PR diff; pass flags via extra_args (per Marketplace)
       - name: Run TruffleHog on PR diff
         uses: trufflesecurity/trufflehog@v3.90.5
         with:
-          base: ${{ github.event.pull_request.base.sha }}
-          head: ${{ github.event.pull_request.head.sha }}
-          redact: true
-          fail: true
+          base: __base
+          head: HEAD
+          extra_args: "--fail --redact --results=verified,unknown"