From 2b501ecb782cc3a863e63ff8de19047168c1064d Mon Sep 17 00:00:00 2001
From: Case Wylie <cmwylie19@defenseunicorns.com>
Date: Fri, 1 Nov 2024 09:04:57 -0400
Subject: [PATCH] chore: squash HIGH vulnerability

Signed-off-by: Case Wylie <cmwylie19@defenseunicorns.com>
---
 .github/workflows/secret-scan.yml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
index ac01bd72e..a39dcb75c 100644
--- a/.github/workflows/secret-scan.yml
+++ b/.github/workflows/secret-scan.yml
@@ -1,15 +1,22 @@
 name: secret-scan
 on: pull_request
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+  
 jobs:
   secret-scan: # scan for any live secrets in the repository using trufflehog
     runs-on: ubuntu-latest
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+      with:
+        egress-policy: audit
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0
     - name: Default Secret Scanning
-      uses: trufflesecurity/trufflehog@main
+      uses: trufflesecurity/trufflehog@a63bf95412e732b7a187e8fd7cc2d19c4a2e4963 # main
       with:
-        extra_args: --debug --no-verification # Warn on potential violations
\ No newline at end of file
+        extra_args: --debug --no-verification # Warn on potential violations