GitHub Action
Gitleaks Scanner
This GitHub Action allows you to run Gitleaks in your CI/CD workflow.
⚠️ v2
of this GitHub Action supports only the latest version of Gitleaks from v8 release.
Name | Required | Type | Default value | Description |
---|---|---|---|---|
source | false | string | $GITHUB_WORKSPACE | Path to source (relative to $GITHUB_WORKSPACE) |
config | false | string | /.gitleaks/UDMSecretChecks.toml | Config file path (relative to $GITHUB_WORKSPACE) |
baseline_path | false | string | not set | Path to baseline with issues that can be ignored (relative to $GITHUB_WORKSPACE) |
report_format | false | string | json | Report file format: json, csv, sarif |
no_git | false | bool | not set | Treat git repos as plain directories and scan those file |
redact | false | bool | true | Redact secrets from log messages and leaks |
fail | false | bool | true | Fail if secrets founded |
verbose | false | bool | true | Show verbose output from scan |
log_level | false | string | info | Log level (trace, debug, info, warn, error, fatal) |
⚠️ The solution provides predefined configuration (See: .gitleaks path). You can override it by yours config using relative to$GITHUB_WORKSPACE
.
Name | Description |
---|---|
exitcode | Success (code: 0) or failure (code: 1) value from scan |
result | Gitleaks result summary |
output | Gitleaks log output |
command | Gitleaks executed command |
report | Report file path |
⚠️ You must useactions/checkout
before thegithub-action-gitleaks
step. If you are usingactions/checkout@v3
you must specify a commit depth other than the default which is 1.Using a
fetch-depth
of '0' clones the entire history. If you want to do a more efficient clone, use '2', but that is not guaranteed to work with pull requests.
---
name: Secret Scan
on:
pull_request:
push:
branches:
- main
# allow one concurrency
concurrency:
group: ${{ format('{0}-{1}-{2}-{3}-{4}', github.workflow, github.event_name, github.ref, github.base_ref, github.head_ref) }}
cancel-in-progress: true
jobs:
gitleaks:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Run Gitleaks
id: gitleaks
uses: DariuszPorowski/github-action-gitleaks@v2
with:
fail: false
- name: Post PR comment
uses: actions/github-script@v6
if: ${{ steps.gitleaks.outputs.exitcode == 1 && github.event_name == 'pull_request' }}
with:
github-token: ${{ github.token }}
script: |
const { GITLEAKS_RESULT, GITLEAKS_OUTPUT } = process.env
const output = `### ${GITLEAKS_RESULT}
<details><summary>Log output</summary>
${GITLEAKS_OUTPUT}
</details>
`
github.rest.issues.createComment({
...context.repo,
issue_number: context.issue.number,
body: output
})
env:
GITLEAKS_RESULT: ${{ steps.gitleaks.outputs.result }}
GITLEAKS_OUTPUT: ${{ steps.gitleaks.outputs.output }}
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Run Gitleaks
id: gitleaks
uses: DariuszPorowski/github-action-gitleaks@v2
with:
report_format: sarif
fail: false
# (optional) It's just to see outputs from the Action
# please note, the OUTPUT has to be passed via env vars!
- name: Get the output from the gitleaks step
run: |
echo "exitcode: ${{ steps.gitleaks.outputs.exitcode }}"
echo "result: ${{ steps.gitleaks.outputs.result }}"
echo "command: ${{ steps.gitleaks.outputs.command }}"
echo "report: ${{ steps.gitleaks.outputs.report }}"
echo "output: ${GITLEAKS_OUTPUT}"
env:
GITLEAKS_OUTPUT: ${{ steps.gitleaks.outputs.output }}
- name: Upload Gitleaks SARIF report to code scanning service
if: ${{ steps.gitleaks.outputs.exitcode == 1 }}
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.gitleaks.outputs.report }}
⚠️ SARIF file uploads for code scanning is not available for everyone. Read GitHub docs (Uploading a SARIF file to GitHub) for more information.
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Run Gitleaks
id: gitleaks
uses: DariuszPorowski/github-action-gitleaks@v2
with:
config: MyGitleaksConfigs/MyGitleaksConfig.toml
- name: Upload Gitleaks JSON report to artifacts
uses: actions/upload-artifact@v3
if: failure()
with:
name: gitleaks
path: ${{ steps.gitleaks.outputs.report }}
Jesse Houwing provided a Gitleaks config with most of Microsoft's deprecated CredScan rules. Consider using it if you need to scan projects based on Microsoft technologies or Azure Cloud.
If you have any feedback on Gitleaks
, please reach out to Zachary Rice (@zricethezav) for creating and maintaining Gitleaks.
Any feedback on the Gitleaks config for Azure UDMSecretChecks.toml
file is welcome. Follow Jesse Houwing's GitHub repo - gitleaks-azure.
Thanks to C.J. May (@lawndoc) for contributing 🤘
Any feedback or contribution to this project is welcome!
GitHub has a great article on this using the BFG Repo Cleaner.