From b791b9891722266eddc8563a5199b48a31164234 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 22 Apr 2026 20:37:08 +0000
Subject: [PATCH] build(deps): bump trufflesecurity/trufflehog from 3.94.3 to
 3.95.2

Bumps [trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog) from 3.94.3 to 3.95.2.
- [Release notes](https://github.com/trufflesecurity/trufflehog/releases)
- [Commits](https://github.com/trufflesecurity/trufflehog/compare/47e7b7cd74f578e1e3145d48f669f22fd1330ca6...17456f8c7d042d8c82c9a8ca9e937231f9f42e26)

---
updated-dependencies:
- dependency-name: trufflesecurity/trufflehog
  dependency-version: 3.95.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/secret-scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
index 65dde0b..23a1943 100644
--- a/.github/workflows/secret-scan.yml
+++ b/.github/workflows/secret-scan.yml
@@ -76,7 +76,7 @@ jobs:
         # HIGH RISK historically ran as @main (moving HEAD of third-party action).
         # Now pinned to v3.94.3 commit SHA. Re-pin manually before bumping — never
         # go back to @main, @master, or any moving tag on a third-party action.
-        uses: trufflesecurity/trufflehog@47e7b7cd74f578e1e3145d48f669f22fd1330ca6  # v3.94.3
+        uses: trufflesecurity/trufflehog@17456f8c7d042d8c82c9a8ca9e937231f9f42e26  # v3.95.2
         with:
           # Scan the whole working tree. `--only-verified` suppresses noisy
           # unverified hits; the action wrapper appends `--fail` itself, so