refactor(trufflehog): prefixes.txt + builder for exclude rules

- Add trufflehog/prefixes.txt (plain directory prefixes) and build_exclude_file.py
- Regenerate global-exclude.txt; workflow can rebuild from script+prefixes if artifact missing
- Last-resort heredoc synced to builder output; STATIC_PATTERNS live in the script

Made-with: Cursor

Author: isaiah-grafana

.github/workflows/reusable-trufflehog.yml

@@ -57,22 +57,43 @@ jobs:
           DEST=/tmp/trufflehog-exclude.txt
           REPO=grafana/security-github-actions
           REF=main
-          # Load trufflehog/global-exclude.txt from main (edit that file for org-wide excludes).
-          RAW_URL="https://raw.githubusercontent.com/grafana/security-github-actions/${REF}/trufflehog/global-exclude.txt"
+          # Prefer trufflehog/global-exclude.txt on main. To change rules: edit trufflehog/prefixes.txt
+          # and/or trufflehog/build_exclude_file.py, then: python3 trufflehog/build_exclude_file.py > trufflehog/global-exclude.txt
+          RAW_BASE="https://raw.githubusercontent.com/grafana/security-github-actions/${REF}/trufflehog"
+          RAW_URL="${RAW_BASE}/global-exclude.txt"
+          RAW_BUILD="${RAW_BASE}/build_exclude_file.py"
+          RAW_PREFIXES="${RAW_BASE}/prefixes.txt"
           if gh api "repos/${REPO}/contents/trufflehog/global-exclude.txt?ref=${REF}" \
               -H "Accept: application/vnd.github.v3.raw" -o "${DEST}" 2>/dev/null && [[ -s "${DEST}" ]]; then
             echo "Loaded exclude patterns from ${REPO}@${REF} (GitHub API)"
           elif curl -fsSL "${RAW_URL}" -o "${DEST}" 2>/dev/null && [[ -s "${DEST}" ]]; then
             echo "Loaded exclude patterns from raw.githubusercontent.com (${REF})"
+          elif gh api "repos/${REPO}/contents/trufflehog/build_exclude_file.py?ref=${REF}" \
+              -H "Accept: application/vnd.github.v3.raw" -o /tmp/trufflehog_build_exclude_file.py 2>/dev/null \
+            && gh api "repos/${REPO}/contents/trufflehog/prefixes.txt?ref=${REF}" \
+              -H "Accept: application/vnd.github.v3.raw" -o /tmp/trufflehog_prefixes.txt 2>/dev/null \
+            && python3 /tmp/trufflehog_build_exclude_file.py /tmp/trufflehog_prefixes.txt > "${DEST}" 2>/dev/null \
+            && [[ -s "${DEST}" ]]; then
+            echo "Built exclude file from build_exclude_file.py + prefixes.txt (${REPO}@${REF}, GitHub API)"
+          elif curl -fsSL "${RAW_BUILD}" -o /tmp/trufflehog_build_exclude_file.py 2>/dev/null \
+            && curl -fsSL "${RAW_PREFIXES}" -o /tmp/trufflehog_prefixes.txt 2>/dev/null \
+            && python3 /tmp/trufflehog_build_exclude_file.py /tmp/trufflehog_prefixes.txt > "${DEST}" 2>/dev/null \
+            && [[ -s "${DEST}" ]]; then
+            echo "Built exclude file from build_exclude_file.py + prefixes.txt (raw GitHub)"
           else
-            echo "::warning::Could not fetch trufflehog/global-exclude.txt from ${REPO}@${REF} (not on branch yet, or GITHUB_TOKEN cannot read that repo). Using bundled fallback — merge exclusions to main or allow workflows to read internal repos."
-            # Keep in sync with trufflehog/global-exclude.txt (used only when fetch fails).
+            echo "::warning::Could not fetch or rebuild TruffleHog excludes from ${REPO}@${REF}. Using last-resort bundled file — merge to main or fix token access."
+            # Last resort only: must match stdout of python3 trufflehog/build_exclude_file.py (same commit).
             cat > "${DEST}" <<'EOF'
-          # TruffleHog --exclude-paths: one Go regexp per non-blank, non-# line.
+          # Generated by trufflehog/build_exclude_file.py + trufflehog/prefixes.txt — do not edit by hand.
+          # Regenerate: python3 trufflehog/build_exclude_file.py > trufflehog/global-exclude.txt
           #
-          # To change org-wide behavior: edit this file and merge to security-github-actions main.
-          # Consumer repos load it at runtime via the GitHub API (no changes needed in those repos).
+          # --- directory prefixes (from prefixes.txt) ---
+          # prefix: vendor
+          (^|\./|[/\\])vendor([/\\]|$)
+          # prefix: content/grafana/dashboards
+          (^|\./|[/\\])content/grafana/dashboards([/\\]|$)
 
+          # --- static path patterns ---
           # Lock files and checksums (contain hashes, not secrets)
           path:go\.sum$
           path:go\.mod$
@@ -90,13 +111,6 @@ jobs:
 
           # Grafana plugin metadata
           path:grafana\.json$
-
-          # Go vendor/ directory (standard Go vendoring): third-party code and large data
-          # files (e.g. golang.org/x/net/publicsuffix) are not repo secrets; TruffleHog often false-positives there.
-          (^|\./|[/\\])vendor([/\\]|$)
-
-          # User-supplied Grafana dashboards checked into site repos (e.g. *.md / JSON); not org-managed secrets.
-          (^|\./|[/\\])content/grafana/dashboards([/\\]|$)
           EOF
           fi
           echo "--- effective exclude file ---"

trufflehog/build_exclude_file.py

@@ -0,0 +1,77 @@
+#!/usr/bin/env python3
+"""
+Emit TruffleHog --exclude-paths file content to stdout.
+
+Edit trufflehog/prefixes.txt, then:
+  python3 trufflehog/build_exclude_file.py > trufflehog/global-exclude.txt
+
+If you change STATIC_PATTERNS or prefix rules, refresh the last-resort heredoc in
+.github/workflows/reusable-trufflehog.yml to match this script's stdout (or rely on
+fetch / rebuild-from-prefixes paths in CI).
+"""
+
+from __future__ import annotations
+
+import re
+import sys
+from pathlib import Path
+
+# Fixed patterns (Go regexp syntax, one logical rule per line after strip).
+STATIC_PATTERNS = r"""
+# Lock files and checksums (contain hashes, not secrets)
+path:go\.sum$
+path:go\.mod$
+
+# Dependency manifests (contain URLs that trigger false positives)
+path:package\.json$
+path:package-lock\.json$
+path:pnpm-lock\.yaml$
+path:yarn\.lock$
+path:poetry\.lock$
+path:Pipfile\.lock$
+path:uv\.lock$
+path:Cargo\.lock$
+path:Gemfile\.lock$
+
+# Grafana plugin metadata
+path:grafana\.json$
+"""
+
+
+def prefix_to_regex(prefix: str) -> str:
+    """Match a path segment path in repo-relative, ./, and absolute CI paths."""
+    p = prefix.strip().strip("/").replace("\\", "/")
+    if not p:
+        return ""
+    escaped = re.escape(p)
+    return rf"(^|\./|[/\\]){escaped}([/\\]|$)"
+
+
+def main() -> None:
+    here = Path(__file__).resolve().parent
+    prefixes_path = Path(sys.argv[1]) if len(sys.argv) > 1 else here / "prefixes.txt"
+
+    lines: list[str] = []
+    lines.append(
+        "# Generated by trufflehog/build_exclude_file.py + trufflehog/prefixes.txt — do not edit by hand.\n"
+        "# Regenerate: python3 trufflehog/build_exclude_file.py > trufflehog/global-exclude.txt\n"
+        "#\n"
+    )
+
+    lines.append("# --- directory prefixes (from prefixes.txt) ---\n")
+    for raw in prefixes_path.read_text().splitlines():
+        stripped = raw.strip()
+        if not stripped or stripped.startswith("#"):
+            continue
+        rx = prefix_to_regex(stripped)
+        if rx:
+            lines.append(f"# prefix: {stripped}\n{rx}\n")
+
+    lines.append("\n# --- static path patterns ---\n")
+    lines.append(STATIC_PATTERNS.strip() + "\n")
+
+    sys.stdout.write("".join(lines))
+
+
+if __name__ == "__main__":
+    main()

trufflehog/global-exclude.txt

@@ -1,8 +1,13 @@
-# TruffleHog --exclude-paths: one Go regexp per non-blank, non-# line.
+# Generated by trufflehog/build_exclude_file.py + trufflehog/prefixes.txt — do not edit by hand.
+# Regenerate: python3 trufflehog/build_exclude_file.py > trufflehog/global-exclude.txt
 #
-# To change org-wide behavior: edit this file and merge to security-github-actions main.
-# Consumer repos load it at runtime via the GitHub API (no changes needed in those repos).
+# --- directory prefixes (from prefixes.txt) ---
+# prefix: vendor
+(^|\./|[/\\])vendor([/\\]|$)
+# prefix: content/grafana/dashboards
+(^|\./|[/\\])content/grafana/dashboards([/\\]|$)
 
+# --- static path patterns ---
 # Lock files and checksums (contain hashes, not secrets)
 path:go\.sum$
 path:go\.mod$
@@ -20,11 +25,3 @@ path:Gemfile\.lock$
 
 # Grafana plugin metadata
 path:grafana\.json$
-
-# Go vendor/ directory (standard Go vendoring): third-party code and large data
-# files (e.g. golang.org/x/net/publicsuffix) are not repo secrets; TruffleHog often false-positives there.
-# Allow repo-relative paths that start with "./" (common on Actions checkout).
-(^|\./|[/\\])vendor([/\\]|$)
-
-# User-supplied Grafana dashboards checked into site repos (e.g. *.md / JSON); not org-managed secrets.
-(^|\./|[/\\])content/grafana/dashboards([/\\]|$)

trufflehog/prefixes.txt

@@ -0,0 +1,5 @@
+# One repo-relative directory prefix per line (forward slashes). No regex.
+# Regenerate: python3 trufflehog/build_exclude_file.py > trufflehog/global-exclude.txt
+
+vendor
+content/grafana/dashboards