Add secret scanning to repo

.github/workflows/pre_commit.yml

@@ -19,3 +19,5 @@ jobs:
         with:
           python-version: '3.9'
       - uses: pre-commit/[email protected]
+        env:
+          SKIP: "trufflehog"

.github/workflows/secret_scanning.yml

@@ -0,0 +1,30 @@
+name: "Secret Scanning"
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_call:
+
+jobs:
+  check_commits:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Set depth and branch variables
+      run: |
+        if [ "${{ github.event_name }}" == "push" ]; then
+          echo "depth=$(($(jq length <<< '${{ toJson(github.event.commits) }}') + 2))" >> $GITHUB_ENV
+          echo "branch=${{ github.ref_name }}" >> $GITHUB_ENV
+        fi
+        if [ "${{ github.event_name }}" == "pull_request" ]; then
+          echo "depth=$((${{ github.event.pull_request.commits }}+2))" >> $GITHUB_ENV
+          echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
+        fi
+    - name: Checkout code
+      uses: actions/checkout@v3
+      with:
+        ref: ${{env.branch}}
+        fetch-depth: ${{env.depth}}
+    - uses: trufflesecurity/trufflehog@main
+      with:
+        extra_args: --results=verified,unknown

.pre-commit-config.yaml

@@ -1,9 +1,22 @@
 default_language_version:
   python: python3.9
 repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: "v5.0.0"
+  hooks:
+  - id: no-commit-to-branch
 - repo: https://github.com/astral-sh/ruff-pre-commit
   rev: 'v0.8.0'
   hooks:
   - id: ruff
     args: [ "--fix" ]
   - id: ruff-format
+- repo: https://github.com/trufflesecurity/trufflehog.git
+  rev: "v3.84.2"
+  hooks:
+  - id: trufflehog
+    name: TruffleHog
+    description: Detect secrets in your data.
+    entry: bash -c 'trufflehog git file://. --since-commit HEAD --only-verified --fail --no-update'
+    language: system
+    stages: ["pre-commit", "pre-push"]