From f4d38d296dbc6910e9650ec906161ae04db9a161 Mon Sep 17 00:00:00 2001
From: Joonas Hiltunen <joonas.hiltunen@vincit.fi>
Date: Sat, 13 Dec 2025 12:15:09 +0200
Subject: [PATCH] Add shared secret scanner

---
 .github/workflows/shared-secret-scan.yml | 77 ++++++++++++++++++++++++
 1 file changed, 77 insertions(+)
 create mode 100644 .github/workflows/shared-secret-scan.yml

diff --git a/.github/workflows/shared-secret-scan.yml b/.github/workflows/shared-secret-scan.yml
new file mode 100644
index 0000000..2c4c44d
--- /dev/null
+++ b/.github/workflows/shared-secret-scan.yml
@@ -0,0 +1,77 @@
+name: Shared secret scan
+# Note: Use this only for the private repositories and
+# use the GHAS secret scanning for public ones
+
+on:
+  workflow_call:
+    inputs:
+      send_email_alert:
+        description: "Whether to send email alerts"
+        type: boolean
+        required: false
+        default: false
+      send_slack_alert:
+        description: "Whether to send Slack alerts"
+        type: boolean
+        required: false
+        default: false
+    secrets:
+      EMAIL_USERNAME:
+        description: "Email username for sending alerts"
+        required: true
+      EMAIL_PASSWORD:
+        description: "Email password for sending alerts"
+        required: true
+      ALERT_EMAIL_RECIPIENT:
+        description: "Email address to send alerts to"
+        required: false
+      ALERT_SLACK_CHANNEL_EMAIL:
+        description: "Slack channel email address to send alerts to"
+        required: false
+
+permissions:
+  contents: read
+
+jobs:
+  trufflehog-scan:
+    name: Trufflehog Secret Scanning
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Secret Scanning
+        uses: trufflesecurity/trufflehog@05cccb53bc9e13bc6d17997db5a6bcc3df44bf2f # v3.92.3
+        with:
+          extra_args: --results=verified,unverified,unknown
+
+  send-alerts:
+    name: Send ${{ matrix.alert_type }} alert
+    needs: trufflehog-scan
+    runs-on: ubuntu-24.04
+    if: failure()
+    strategy:
+      matrix:
+        include:
+          - alert_type: email
+            enabled: ${{ inputs.send_email_alert }}
+          - alert_type: slack
+            enabled: ${{ inputs.send_slack_alert }}
+    steps:
+      - name: Send alert
+        if: matrix.enabled
+        uses: dawidd6/action-send-mail@6d98ae34d733f9a723a9e04e94f2f24ba05e1402 # v6
+        with:
+          server_address: smtp.gmail.com
+          server_port: 465
+          secure: true
+          username: ${{ secrets.EMAIL_USERNAME }}
+          password: ${{ secrets.EMAIL_PASSWORD }}
+          subject: "Secrets found in ${{ github.repository }}!"
+          to: ${{ matrix.alert_type == 'email' && secrets.ALERT_EMAIL_RECIPIENT || secrets.ALERT_SLACK_CHANNEL_EMAIL }}
+          from: ${{ secrets.EMAIL_USERNAME }}
+          body: |
+            Trufflehog has detected potential secrets in the repository ${{ github.repository }}!
+            Please review the scan results in the GitHub Actions logs ASAP and take appropriate action.