How to Scan Only the PR Diff for Secrets in CI
Scanning just the PR range keeps checks fast; the scanner inspects the commits between base and head, not the whole repo.
Compute the base and head SHAs from the event, then scan that commit range so a PR only pays for its own changes.
Steps
- Check out enough history to reach the base commit.
- Derive the base/head SHAs from
github.event. - Pass the range to the scanner (for example TruffleHog
--since-commit).
Workflow
.github/workflows/ci.yml
on: pull_request
jobs:
diff-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Scan PR range
run: |
docker run --rm -v "$PWD:/repo" trufflesecurity/trufflehog:latest \
git file:///repo \
--since-commit ${{ github.event.pull_request.base.sha }} \
--only-verified --failGotchas
- A diff-only scan can miss a secret already sitting in history; run a full scan on a schedule.
- Force-pushes rewrite the range, so recompute the base rather than caching it.
Related guides
How to Scan Full Git History for Secrets in CIScan the entire commit history for leaked secrets in CI by checking out with fetch-depth 0, so a credential d…
How to Set Up detect-secrets With a Baseline in CIAdopt Yelp detect-secrets in CI by generating a .secrets.baseline of known findings, then failing the build o…