modified secret scanning

deviant101 · deviant101 · commit 18125ff4d82e · 2025-11-23T02:10:31.000+05:00
diff --git a/.github/workflows/devsecops-pipeline.yml b/.github/workflows/devsecops-pipeline.yml
@@ -155,21 +155,23 @@ jobs:
         with:
           fetch-depth: 0  # Full history for secret scanning
 
-      - name: TruffleHog OSS
+      - name: TruffleHog OSS (Git History Scan)
+        id: trufflehog-git
         uses: trufflesecurity/trufflehog@main
-        continue-on-error: true  # Don't fail on first commit
+        continue-on-error: true  # Don't fail pipeline if BASE==HEAD or secrets found
         with:
           path: ./
           base: ${{ github.event.repository.default_branch }}
           head: HEAD
-          extra_args: --debug --only-verified
+          extra_args: --only-verified
 
-      - name: TruffleHog Filesystem Scan (fallback for single commits)
-        if: failure()  # Run if previous step failed
+      - name: TruffleHog Filesystem Scan (Fallback)
+        if: steps.trufflehog-git.outcome == 'failure'
         uses: trufflesecurity/trufflehog@main
+        continue-on-error: true  # Don't fail pipeline on secrets in filesystem scan
         with:
           path: ./
-          extra_args: --only-verified
+          extra_args: --only-verified --no-update
 
   # Stage 8: Docker Build and Push
   docker-build:
