trufflesecurity
diff --git a/‎.github/workflows/README.md‎
Lines changed: 48 additions & 0 deletions b/‎.github/workflows/README.md‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎CODEOWNERS‎
Lines changed: 16 additions & 2 deletions b/‎CODEOWNERS‎
Lines changed: 16 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 9 additions & 5 deletions b/‎README.md‎
Lines changed: 9 additions & 5 deletions
diff --git a/‎go.mod‎
Lines changed: 18 additions & 9 deletions b/‎go.mod‎
Lines changed: 18 additions & 9 deletions
@@ -0,0 +1,48 @@
+# GitHub Workflows
+
+This directory contains GitHub Actions workflows for the TruffleHog repository.
+
+## PR Approval Check (`pr-approval-check.yml`)
+
+This workflow enforces that at least one PR approver must be an **active** member of the `@trufflesecurity/product-eng` team or any of its child teams.
+
+### How it works:
+
+1. **Triggers**: The workflow runs on:
+   - `pull_request_review` events when a review is submitted (`submitted` type)
+   - `pull_request` events when a PR is opened, reopened, or synchronized (`opened`, `reopened`, `synchronize` types)
+
+2. **Approval Check Process**: The workflow:
+   - Fetches all reviews for the PR using the GitHub API
+   - Filters for reviews with state `APPROVED`
+   - Gets all child teams of `@trufflesecurity/product-eng` using `listChildInOrg` API
+   - Checks if any approver is an **active** member (not pending) of either:
+     - The parent `@trufflesecurity/product-eng` team, OR
+     - Any of its child teams
+   - Sets a commit status accordingly
+
+3. **Status Check**: Creates a commit status named `product-eng-approval` with:
+   - ✅ **Success**: When at least one approver is an active member of `@trufflesecurity/product-eng` or any child team
+   - ❌ **Failure**: When there are no approvals or there are approvals but none from active `@trufflesecurity/product-eng` members
+
+### Error Handling
+
+If there are errors listing reviews or checking team membership, the workflow reports a failure status and also fails itself.
+
+### Branch Protection
+
+To make this check required:
+
+1. Go to Settings → Branches
+2. Add or edit a branch protection rule for your main branch
+3. Enable "Require status checks to pass before merging"
+4. Add `pr-approval-check` to the required status checks
+
+### Permissions
+
+The workflow uses the default `GITHUB_TOKEN` which has sufficient permissions to:
+- Read PR reviews
+- List child teams and check team membership (for public teams)
+- Create commit statuses
+
+**Note**: If the `product-eng` team or its child teams are private, you may need to use a personal access token with appropriate permissions. The Github API returns 404 for non-members and for lack of permissions.
@@ -2,8 +2,23 @@
 * @trufflesecurity/product-eng
 
 # Scanning
+pkg/sources/ @trufflesecurity/Scanning
 pkg/writers/ @trufflesecurity/Scanning
 
+# Integrations
+pkg/sources/circleci/ @trufflesecurity/Integrations
+pkg/sources/docker/ @trufflesecurity/Integrations
+pkg/sources/elasticsearch/ @trufflesecurity/Integrations
+pkg/sources/filesystem/ @trufflesecurity/Integrations
+pkg/sources/gcs/ @trufflesecurity/Integrations
+pkg/sources/git/ @trufflesecurity/Integrations
+pkg/sources/github/ @trufflesecurity/Integrations
+pkg/sources/gitlab/ @trufflesecurity/Integrations
+pkg/sources/jenkins/ @trufflesecurity/Integrations
+pkg/sources/postman/ @trufflesecurity/Integrations
+pkg/sources/s3/ @trufflesecurity/Integrations
+pkg/sources/travisci/ @trufflesecurity/Integrations
+
 # Shared
 pkg/decoders/ @trufflesecurity/Scanning @trufflesecurity/OSS
 pkg/engine/ @trufflesecurity/Scanning  @trufflesecurity/OSS
@@ -12,8 +27,7 @@ pkg/giturl/ @trufflesecurity/Scanning  @trufflesecurity/OSS
 pkg/handlers/ @trufflesecurity/Scanning  @trufflesecurity/OSS
 pkg/iobuf/ @trufflesecurity/Scanning  @trufflesecurity/OSS
 pkg/sanitizer/ @trufflesecurity/Scanning  @trufflesecurity/OSS
-pkg/sources/ @trufflesecurity/Scanning  @trufflesecurity/OSS
-proto/ @trufflesecurity/Scanning  @trufflesecurity/OSS
+proto/ @trufflesecurity/Scanning  @trufflesecurity/Integrations
 
 # OSS
 pkg/detectors/ @trufflesecurity/OSS
 
@@ -30,19 +30,19 @@ To learn more about TruffleHog and its features and capabilities, visit our [pro
 
 # :globe_with_meridians: TruffleHog Enterprise
 
-Are you interested in continuously monitoring **Git, Jira, Slack, Confluence, Microsoft Teams, Sharepoint, and more..** for credentials? We have an enterprise product that can help! Learn more at <https://trufflesecurity.com/trufflehog-enterprise>.
+Are you interested in continuously monitoring **Git, Jira, Slack, Confluence, Microsoft Teams, Sharepoint (and more)** for credentials? We have an enterprise product that can help! Learn more at <https://trufflesecurity.com/trufflehog-enterprise>.
 
 We take the revenue from the enterprise product to fund more awesome open source projects that the whole community can benefit from.
 
 </div>
 
 # What is TruffleHog 🐽
 
-TruffleHog is the most powerful secrets **Discovery, Classification, Validation,** and **Analysis** tool. In this context, secret refers to a credential a machine uses to authenticate itself to another machine. This includes API keys, database passwords, private encryption keys, and more...
+TruffleHog is the most powerful secrets **Discovery, Classification, Validation,** and **Analysis** tool. In this context, secret refers to a credential a machine uses to authenticate itself to another machine. This includes API keys, database passwords, private encryption keys, and more.
 
 ## Discovery 🔍
 
-TruffleHog can look for secrets in many places including Git, chats, wikis, logs, API testing platforms, object stores, filesystems and more
+TruffleHog can look for secrets in many places including Git, chats, wikis, logs, API testing platforms, object stores, filesystems and more.
 
 ## Classification 📁
 
@@ -499,7 +499,7 @@ trufflehog git https://github.com/trufflesecurity/trufflehog.git
 
 ## Configuration
 
-TruffleHog supports defining [custom regex detectors](#regex-detector-alpha)
+TruffleHog supports defining [custom regex detectors](#custom-regex-detector-alpha)
 and multiple sources in a configuration file provided via the `--config` flag.
 The regex detectors can be used with any subcommand, while the sources defined
 in configuration are only for the `multi-scan` subcommand.
@@ -675,7 +675,7 @@ TruffleHog can be used in a pre-commit hook to prevent credentials from leaking
 
 See the [pre-commit hook documentation](PreCommit.md) for more information.
 
-## Regex Detector (alpha)
+## Custom Regex Detector (alpha)
 
 TruffleHog supports detection and verification of custom regular expressions.
 For detection, at least one **regular expression** and **keyword** is required.
@@ -696,6 +696,10 @@ your custom detector has multiple `regex` set (in this example `hogID`, and `hog
 ### Regex Detector Example
 [Here](/pkg/custom_detectors/CUSTOM_DETECTORS.md) is how to setup a custom regex detector with verification server.
 
+## Generic JWT Detection
+
+TruffleHog supports detection and verification of a subset of generic JWTs it finds.
+Specifically, if a JWT uses public-key cryptography rather than HMAC and the public key can be obtained, TruffleHog can determine whether the JWT is live or not.
 
 ## :mag: Analyze
 
 
@@ -1,6 +1,6 @@
 module github.com/trufflesecurity/trufflehog/v3
 
-go 1.24
+go 1.24.0
 
 toolchain go1.24.5
 
@@ -70,6 +70,7 @@ require (
 	github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213
 	github.com/klauspost/pgzip v1.2.6
 	github.com/kylelemons/godebug v1.1.0
+	github.com/lestrrat-go/jwx/v3 v3.0.12
 	github.com/lib/pq v1.10.9
 	github.com/lrstanley/bubblezone v0.0.0-20250404061050-e13639e27357
 	github.com/marusama/semaphore/v2 v2.5.0
@@ -90,7 +91,7 @@ require (
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3
 	github.com/shuheiktgw/go-travis v0.3.1
 	github.com/shurcooL/githubv4 v0.0.0-20240727222349-48295856cce7
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	github.com/testcontainers/testcontainers-go v0.34.0
 	github.com/testcontainers/testcontainers-go/modules/elasticsearch v0.34.0
 	github.com/testcontainers/testcontainers-go/modules/mongodb v0.34.0
@@ -105,11 +106,11 @@ require (
 	go.uber.org/automaxprocs v1.6.0
 	go.uber.org/mock v0.5.2
 	go.uber.org/zap v1.27.0
-	golang.org/x/crypto v0.41.0
-	golang.org/x/net v0.43.0
+	golang.org/x/crypto v0.43.0
+	golang.org/x/net v0.45.0
 	golang.org/x/oauth2 v0.30.0
-	golang.org/x/sync v0.16.0
-	golang.org/x/text v0.28.0
+	golang.org/x/sync v0.17.0
+	golang.org/x/text v0.30.0
 	golang.org/x/time v0.12.0
 	google.golang.org/api v0.247.0
 	google.golang.org/protobuf v1.36.9
@@ -184,6 +185,7 @@ require (
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
 	github.com/cyphar/filepath-securejoin v0.3.6 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/dlclark/regexp2 v1.11.0 // indirect
 	github.com/docker/cli v28.2.2+incompatible // indirect
@@ -204,6 +206,7 @@ require (
 	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
 	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
@@ -229,6 +232,11 @@ require (
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/kjk/lzma v0.0.0-20161016003348-3fd93898850d // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.4 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/httprc/v3 v3.0.1 // indirect
+	github.com/lestrrat-go/option v1.0.1 // indirect
+	github.com/lestrrat-go/option/v2 v2.0.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
@@ -265,6 +273,7 @@ require (
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/sahilm/fuzzy v0.1.1-0.20230530133925-c48e322e2a8f // indirect
+	github.com/segmentio/asm v1.2.1 // indirect
 	github.com/sendgrid/rest v2.6.9+incompatible // indirect
 	github.com/shirou/gopsutil/v3 v3.23.12 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
@@ -307,9 +316,9 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
 	golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67 // indirect
-	golang.org/x/mod v0.26.0 // indirect
-	golang.org/x/sys v0.35.0 // indirect
-	golang.org/x/term v0.34.0 // indirect
+	golang.org/x/mod v0.28.0 // indirect
+	golang.org/x/sys v0.37.0 // indirect
+	golang.org/x/term v0.36.0 // indirect
 	google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c // indirect