prowler-ci

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

What this skill covers

此技能涵盖的内容

Use this skill whenever you are:

Reading or changing GitHub Actions workflows under
```
.github/workflows/
```
Explaining why a PR fails checks (title, changelog, conflict markers, secret scanning)
Figuring out which workflows run for UI/API/SDK changes and why
Diagnosing path-filtering behavior (why a workflow did/didn't run)

在以下场景中使用此技能：

读取或修改
```
.github/workflows/
```
目录下的GitHub Actions工作流
解释PR检查失败的原因（标题、变更日志、冲突标记、密钥扫描）
确定UI/API/SDK变更会触发哪些工作流及原因
诊断路径过滤行为（工作流为何运行/未运行）

Quick map (where to look)

快速指引（查看位置）

PR template:
```
.github/pull_request_template.md
```

PR title validation:

.github/workflows/conventional-commit.yml

Changelog gate:

.github/workflows/pr-check-changelog.yml

Conflict markers check:

.github/workflows/pr-conflict-checker.yml

Secret scanning:
```
.github/workflows/find-secrets.yml
```

Auto labels:

.github/workflows/labeler.yml

and

.github/labeler.yml

Review ownership:
```
.github/CODEOWNERS
```

PR模板：
```
.github/pull_request_template.md
```

PR标题验证：

.github/workflows/conventional-commit.yml

变更日志检查：

.github/workflows/pr-check-changelog.yml

冲突标记检查：

.github/workflows/pr-conflict-checker.yml

密钥扫描：
```
.github/workflows/find-secrets.yml
```

自动标签：

.github/workflows/labeler.yml

和

.github/labeler.yml

审核归属：
```
.github/CODEOWNERS
```

Debug checklist (PR failing checks)

调试清单（PR检查失败时）

Identify which workflow/job is failing (name + file under
```
.github/workflows/
```
).
Check path filters: is the workflow supposed to run for your changed files?
If it's a title check: verify PR title matches Conventional Commits.
If it's changelog: verify the right
```
CHANGELOG.md
```
is updated OR apply
```
no-changelog
```
label.
If it's conflict checker: remove
```
<<<<<<<
```
,
```
=======
```
,
```
>>>>>>>
```
markers.
If it's secrets (TruffleHog): see section below.

确定哪个工作流/作业失败（名称及
```
.github/workflows/
```
下的文件）。
检查路径过滤器：该工作流是否应该针对你修改的文件运行？
如果是标题检查：验证PR标题是否符合Conventional Commits规范。
如果是变更日志检查：确认是否更新了正确的
```
CHANGELOG.md
```
，或应用
```
no-changelog
```
标签。
如果是冲突检查器：移除
```
<<<<<<<
```
、
```
=======
```
、
```
>>>>>>>
```
标记。
如果是密钥扫描（TruffleHog）：查看下方章节。

TruffleHog Secret Scanning

TruffleHog密钥扫描

TruffleHog scans for leaked secrets. Common false positives in test files:

Patterns that trigger TruffleHog:

```
sk-*T3BlbkFJ*
```
- OpenAI API keys
```
AKIA[A-Z0-9]{16}
```
- AWS Access Keys
```
ghp_*
```
/
```
gho_*
```
- GitHub tokens
Base64-encoded strings that look like credentials

Fix for test files:

python

undefined

TruffleHog用于扫描泄露的密钥。测试文件中常见的误报情况：

触发TruffleHog的模式：

```
sk-*T3BlbkFJ*
```
- OpenAI API密钥
```
AKIA[A-Z0-9]{16}
```
- AWS访问密钥
```
ghp_*
```
/
```
gho_*
```
- GitHub令牌
看起来像凭据的Base64编码字符串

测试文件的修复方案：

python

undefined

BAD - looks like real OpenAI key

api_key = "sk-test1234567890T3BlbkFJtest1234567890"

GOOD - obviously fake

api_key = "sk-fake-test-key-for-unit-testing-only"


**If TruffleHog flags a real secret:**
1. Remove the secret from the code immediately
2. Rotate the credential (it's now in git history)
3. Consider using `.trufflehog-ignore` for known false positives (rarely needed)

api_key = "sk-fake-test-key-for-unit-testing-only"


**如果TruffleHog标记了真实密钥：**
1. 立即从代码中移除该密钥
2. 轮换凭据（它已存在于git历史中）
3. 考虑使用`.trufflehog-ignore`处理已知误报（很少需要）

Notes

注意事项

Keep
```
prowler-pr
```
focused on creating PRs and filling the template.
Use
```
prowler-ci
```
for CI policies and gates that apply to PRs.

```
prowler-pr
```
专注于创建PR及填写模板。
```
prowler-ci
```
用于处理PR适用的CI策略与检查。