┌─○───┐
│ │╲ │
│ │ ○ │
│ ○ ┌─┴───────────────────┐
└─░─┤ 4 github actions │
└─────────────────────┘
Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code. Enable Gitleaks-Action in your GitHub workflows to be alerted when secrets are leaked as soon as they happen.
name: gitleaks
on: [pull_request, push, workflow_dispatch]
jobs:
scan:
name: gitleaks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: zricethezav/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} # Only required for Organizations, not personal accounts.GITHUB_TOKEN: This variable is automatically assigned by GitHub when any action gets kicked off. You can read more about the token here.
gitleaks-action uses this token to call a GitHub API to comment on PRs.GITLEAKS_LICENSE(required): A gitleaks-action license obtained at gitleaks.io. It should be added as an encrypted secret to the repo or to the organization.GITLEAKS_NOTIFY_USER_LIST(optional): A list of GitHub accounts that should be alerted when gitleaks-action detects a leak. An email will be sent by GitHub to the user if their GitHub notification settings permit it. The format should be comma-separated with each username prefixed with@. Ex:@octocat,@zricethezav,@gitleaks. Spaces are okay too.GITLEAKS_ENABLE_COMMENTS: (optional): Boolean value that turns on or off PR commenting. Default value istrue. Set tofalseto disable comments.GITLEAKS_CONFIG: (optional): Path to a gitleaks configuration file.
If you are scanning repos that belong to an organization account, you will need to obtain a license key. You can obtain a free license key for scanning 1 repo.
If you are scanning repos that belong to a personal account, then no license key is required.
You can visit gitleaks.io to sign up for a free license key limited to 1 repo, or choose from a paid tier to enable scanning of additional repos.
You can! This GitHub Action follows a similar order of precedence
as the gitleaks CLI tool. You can use GITLEAKS_CONFIG to explicitly set a
config path or create a gitleaks.toml at the root of the repo which will be
automatically detected and used by gitleaks-action.
The only data that gitleaks-action sends to any third party is data related to license key validation (namely GITLEAKS_LICENSE, repo name, and repo owner), which is sent to the license key validation service, keygen. Your code never leaves GitHub because the scanning takes place within the GitHub Actions docker container.
Can I use gitleaks-action as a third-party tool for GitHub code scanning?
You can but it is not recommended because it gives a false sense of security. If a secret is leaked in one commit, then removed in a subsequent commit, the security alert in the GitHub Security dashboard will show as resolved, even though the secret is still visible in the commit history. To truly address the leak, you should rotate the secret (and also consider re-writing the git history to remove the leak altogether).
Enable this gitleaks-action and copy
<img alt="gitleaks badge" src="https://img.shields.io/badge/protected%20by-gitleaks-blue"> to your readme.
Since v2.0.0 of Gitleaks-Action, the license has changed from MIT to a commercial license. Prior versions to v2.0.0 of Gitleaks-Actions will remain under the MIT license.
Copyright © 2022 Gitleaks LLC - All Rights Reserved