Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/secrets-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,5 +24,7 @@ jobs:
security-events: write
actions: read
pull-requests: read
with:
fail-on-findings: true

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Don't leave docs-only PRs outside enforcement

This only makes Titus fail when the reusable workflow actually runs, but I checked the pinned titus-scan.yml and its preflight sets should_scan=false for PRs whose changed files are all *.md, *.txt, images, LICENSE, or under docs/. In those PRs, fail-on-findings is never evaluated, so a secret added to README.md or docs/... can still pass the PR checks in this public repo and only be discovered after merge by the push/scheduled scan. If the goal is fail-closed on secret introductions, the caller needs a workflow/version/path that scans those PRs too.

Useful? React with 👍 / 👎.

secrets: inherit

Loading