feat(ci): add trufflehog secrets detection

[McPatate]

What does this PR do?

Adding a GH action to scan for leaked secrets on each commit.

Context

trufflehog will scan the commit that triggered the CI for any token leak. trufflehog works with a large number of what they call "detectors", each of which will read the text from the commit to see if there is match for a token. For example, the hugging face detector will check for hf tokens and then query our /api/whoami{-v2} endpoint to check if the token is valid. If it detects a valid token, the CI will fail, informing you that you need to rotate the token given it leaked.

What to do if the CI fails

If the CI errors, you should check the logs to see which token was leaked. After that, depending on the origin of the token, you should go to the token issuer and delete it, recreate it or rotate it (depending on the available features).
Once this is done, remove the token from the code and use an environment variable to load the secret or any other external configuration management system.

References

• https://github.com/trufflesecurity/trufflehog
• https://github.com/marketplace/actions/trufflehog-oss

[HuggingFaceDocBuilderDev]

The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update.

[amyeroberts]

Thanks for adding!

• Would be good to have some guidelines added to let users know what to do if this pipeline fails e.g. in the contributing guidelines
• What's the chance of having false positives on these runs?

[McPatate]

Would be good to have some guidelines added to let users know what to do if this pipeline fails e.g. in the contributing guidelines

Would you like me to address this in this PR?

What's the chance of having false positives on these runs?

From my experience I would say pretty low, on some occasions a sha could be misinterpreted as a secret. But it will not be considered "verified", so in most cases safe to ignore.

[amyeroberts]

Would you like me to address this in this PR?

Ideally yes. At least, a comment within this PR which we can link on issues. As, tbh, I'm not 100% sure what I should tell people to do if this fails 😅

From my experience I would say pretty low, on some occasions a sha could be misinterpreted as a secret. But it will not be considered "verified", so in most cases safe to ignore.

OK!

[McPatate]

At least, a comment within this PR which we can link on issues.

Updated the PR description, lmk what you think.

[ArthurZucker]

spice it up 😄

[ArthurZucker]

Suggested change

	name: Secret Leaks
	name: Are you leaking you github token

😈

[McPatate]

Can't do a suggestion on your suggestion 😄

Suggested change

	name: Secret Leaks
	name: Are you leaking a token?

[amyeroberts]

Thanks for adding! 🤐