Skip to content
Latchkey

How to Scan Only the PR Diff for Secrets in CI

Scanning just the PR range keeps checks fast; the scanner inspects the commits between base and head, not the whole repo.

Compute the base and head SHAs from the event, then scan that commit range so a PR only pays for its own changes.

Steps

  • Check out enough history to reach the base commit.
  • Derive the base/head SHAs from github.event.
  • Pass the range to the scanner (for example TruffleHog --since-commit).

Workflow

.github/workflows/ci.yml
on: pull_request
jobs:
  diff-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Scan PR range
        run: |
          docker run --rm -v "$PWD:/repo" trufflesecurity/trufflehog:latest \
            git file:///repo \
            --since-commit ${{ github.event.pull_request.base.sha }} \
            --only-verified --fail

Gotchas

  • A diff-only scan can miss a secret already sitting in history; run a full scan on a schedule.
  • Force-pushes rewrite the range, so recompute the base rather than caching it.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →