Skip to content

Git Security Scanner

Actions
Security scanning for GitHub repos using Gitleaks and Trivy to detect secrets, vulnerabilities, and misconfigurations
v1.1.1
Latest
By cloudon-one
Star (3)

Tags

 (2)
securitycode-quality

Git Security Scanner - GitHub Action

GitHub Marketplace Release License: MIT Docker

Comprehensive security scanning for GitHub repositories - Detect secrets, vulnerabilities, and misconfigurations in your CI/CD pipeline.

Features

  • Secret Detection - Find API keys, passwords, and tokens using Gitleaks
  • Vulnerability Scanning - Identify CVEs and security issues with Trivy
  • Misconfiguration Detection - Catch IaC security problems
  • Multiple Report Formats - JSON, HTML, and SARIF for GitHub Security tab
  • PR Integration - Automatic security comments on pull requests
  • Quality Gates - Fail builds on critical security issues

Quick Start

Add to your workflow (.github/workflows/security.yml):

name: Security Scan
on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
      
      - name: Run Security Scan
        uses: cloudon-one/git-security-scanner@v1.1.1
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          fail_on_critical: true

Configuration

Inputs

Input Required Default Description
github_token No ${{ github.token }} GitHub token for API access
fail_on_critical No true Fail build if critical issues found
scan_type No all Scan type: all, gitleaks, or trivy
repository_path No . Path to repository to scan
upload_sarif No true Upload SARIF to GitHub Security tab
create_pr_comment No true Create PR comments with results
scanner_version No latest Docker image version to use

Outputs

Output Description
risk_level Overall risk: CRITICAL, HIGH, MEDIUM, LOW
critical_count Number of critical issues
high_count Number of high severity issues
medium_count Number of medium severity issues
low_count Number of low severity issues
secrets_found Number of secrets detected
vulnerabilities_found Number of vulnerabilities found
misconfigurations_found Number of misconfigurations detected
report_url Link to detailed security report

Usage Examples

Basic Security Check

- uses: cloudon-one/git-security-scanner@v1.1.1
  with:
    fail_on_critical: true
    create_pr_comment: true

Advanced Configuration

- uses: cloudon-one/git-security-scanner@v1.1.1
  id: security
  with:
    scan_type: all
    fail_on_critical: false
    repository_path: ./src
    
- name: Process Results
  run: |
    echo "Risk Level: ${{ steps.security.outputs.risk_level }}"
    echo "Secrets: ${{ steps.security.outputs.secrets_found }}"
    echo "Vulnerabilities: ${{ steps.security.outputs.vulnerabilities_found }}"

Scheduled Security Audits

name: Weekly Security Audit
on:
  schedule:
    - cron: '0 2 * * 1'  # Mondays at 2 AM

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: cloudon-one/git-security-scanner@v1.1.1
        with:
          fail_on_critical: false

Building from Source

Prerequisites

  • Docker
  • GitHub Token (for GitHub API access)

Build Docker Image

docker build -t git-security-scanner .

Run Local Scan

# Scan current directory
docker run --rm \
  -v $(pwd):/scan_target:ro \
  -v $(pwd)/reports:/reports \
  security-scanner all

# Scan specific repository
docker run --rm \
  -e GITHUB_TOKEN=$GITHUB_TOKEN \
  -e GITHUB_OWNER=owner \
  -e GITHUB_REPO=repo \
  -v $(pwd)/reports:/reports \
  security-scanner all

Architecture

The scanner consists of:

  • action.yml - GitHub Action definition
  • Dockerfile - Container with security tools
  • git-audit-script.py - Main orchestration script
  • run_scans.sh - Shell wrapper for execution
  • gitleaks.toml - Secret detection configuration

Security Tools

  • Gitleaks v8.28.0 - Secret detection
  • Trivy v0.65.0 - Vulnerability scanning

Contributing

See CONTRIBUTING.md for development guidelines.

Support

License

MIT License - see LICENSE file.

Made by CloudOn One

Contributors (1)

@yaarcloudon

Resources

Git Security Scanner is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.

About

Security scanning for GitHub repos using Gitleaks and Trivy to detect secrets, vulnerabilities, and misconfigurations
v1.1.1
Latest
By cloudon-one

Tags

 (2)
securitycode-quality

Contributors (1)

@yaarcloudon

Resources

Git Security Scanner is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.