Skip to content

This GitHub Action allows you to run Gitleaks in your GitHub workflow.

License

Notifications You must be signed in to change notification settings

DariuszPorowski/github-action-gitleaks

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Repository files navigation

GitHub Action for Gitleaks

GitHub - marketplace GitHub - release GitHub - license

This GitHub Action allows you to run Gitleaks in your CI/CD workflow.

⚠️ v2 of this GitHub Action supports only the latest version of Gitleaks from v8 release.

Inputs

Name Required Type Default value Description
source false string $GITHUB_WORKSPACE Path to source (relative to $GITHUB_WORKSPACE)
config false string /.gitleaks/UDMSecretChecks.toml Config file path (relative to $GITHUB_WORKSPACE)
baseline_path false string not set Path to baseline with issues that can be ignored (relative to $GITHUB_WORKSPACE)
report_format false string json Report file format: json, csv, sarif
no_git false bool not set Treat git repos as plain directories and scan those file
redact false bool true Redact secrets from log messages and leaks
fail false bool true Fail if secrets founded
verbose false bool true Show verbose output from scan
log_level false string info Log level (trace, debug, info, warn, error, fatal)

⚠️ The solution provides predefined configuration (See: .gitleaks path). You can override it by yours config using relative to $GITHUB_WORKSPACE.

Outputs

Name Description
exitcode Success (code: 0) or failure (code: 1) value from scan
result Gitleaks result summary
output Gitleaks log output
command Gitleaks executed command
report Report file path

Example usage

⚠️ You must use actions/checkout before the github-action-gitleaks step. If you are using actions/checkout@v3 you must specify a commit depth other than the default which is 1.

Using a fetch-depth of '0' clones the entire history. If you want to do a more efficient clone, use '2', but that is not guaranteed to work with pull requests.

Pull Request with comment

---
name: Secret Scan

on:
  pull_request:
  push:
    branches:
      - main

# allow one concurrency
concurrency:
  group: ${{ format('{0}-{1}-{2}-{3}-{4}', github.workflow, github.event_name, github.ref, github.base_ref, github.head_ref) }}
  cancel-in-progress: true

jobs:
  gitleaks:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Run Gitleaks
        id: gitleaks
        uses: DariuszPorowski/github-action-gitleaks@v2
        with:
          fail: false

      - name: Post PR comment
        uses: actions/github-script@v6
        if: ${{ steps.gitleaks.outputs.exitcode == 1 && github.event_name == 'pull_request' }}
        with:
          github-token: ${{ github.token }}
          script: |
            const { GITLEAKS_RESULT, GITLEAKS_OUTPUT } = process.env
            const output = `### ${GITLEAKS_RESULT}

            <details><summary>Log output</summary>

            ${GITLEAKS_OUTPUT}

            </details>
            `
            github.rest.issues.createComment({
              ...context.repo,
              issue_number: context.issue.number,
              body: output
            })
        env:
          GITLEAKS_RESULT: ${{ steps.gitleaks.outputs.result }}
          GITLEAKS_OUTPUT: ${{ steps.gitleaks.outputs.output }}

With SARIF report

- name: Checkout
  uses: actions/checkout@v3
  with:
    fetch-depth: 0

- name: Run Gitleaks
  id: gitleaks
  uses: DariuszPorowski/github-action-gitleaks@v2
  with:
    report_format: sarif
    fail: false

# (optional) It's just to see outputs from the Action
# please note, the OUTPUT has to be passed via env vars!
- name: Get the output from the gitleaks step
  run: |
    echo "exitcode: ${{ steps.gitleaks.outputs.exitcode }}"
    echo "result: ${{ steps.gitleaks.outputs.result }}"
    echo "command: ${{ steps.gitleaks.outputs.command }}"
    echo "report: ${{ steps.gitleaks.outputs.report }}"
    echo "output: ${GITLEAKS_OUTPUT}"
  env:
    GITLEAKS_OUTPUT: ${{ steps.gitleaks.outputs.output }}

- name: Upload Gitleaks SARIF report to code scanning service
  if: ${{ steps.gitleaks.outputs.exitcode == 1 }}
  uses: github/codeql-action/upload-sarif@v2
  with:
    sarif_file: ${{ steps.gitleaks.outputs.report }}

⚠️ SARIF file uploads for code scanning is not available for everyone. Read GitHub docs (Uploading a SARIF file to GitHub) for more information.

With JSON report and custom rules config

- name: Checkout
  uses: actions/checkout@v3
  with:
    fetch-depth: 0

- name: Run Gitleaks
  id: gitleaks
  uses: DariuszPorowski/github-action-gitleaks@v2
  with:
    config: MyGitleaksConfigs/MyGitleaksConfig.toml

- name: Upload Gitleaks JSON report to artifacts
  uses: actions/upload-artifact@v3
  if: failure()
  with:
    name: gitleaks
    path: ${{ steps.gitleaks.outputs.report }}

Additional rules

Jesse Houwing provided a Gitleaks config with most of Microsoft's deprecated CredScan rules. Consider using it if you need to scan projects based on Microsoft technologies or Azure Cloud.

Contributions

If you have any feedback on Gitleaks, please reach out to Zachary Rice (@zricethezav) for creating and maintaining Gitleaks.

Any feedback on the Gitleaks config for Azure UDMSecretChecks.toml file is welcome. Follow Jesse Houwing's GitHub repo - gitleaks-azure.

Thanks to C.J. May (@lawndoc) for contributing 🤘

Any feedback or contribution to this project is welcome!

How do I remove a secret from Git's history?

GitHub has a great article on this using the BFG Repo Cleaner.