Scan your codebase for hardcoded secrets before they reach production. This GitHub Action integrates KeyEnv's secret scanning directly into your CI/CD pipeline.
- Detect API keys, tokens, passwords, and other secrets
- Configurable severity thresholds
- Cross-platform support (Linux, macOS)
- Optional upload to KeyEnv dashboard
- JSON output for downstream processing
Add to your workflow to scan for secrets on every push:
name: Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Scan for secrets
uses: keyenv/scan-action@v1Only fail on critical and high severity findings:
- name: Scan for secrets
uses: keyenv/scan-action@v1
with:
severity: highScan only a specific directory:
- name: Scan for secrets
uses: keyenv/scan-action@v1
with:
path: ./src
severity: mediumUpload scan results to your KeyEnv dashboard for tracking and reporting:
- name: Scan for secrets
uses: keyenv/scan-action@v1
with:
upload: true
token: ${{ secrets.KEYENV_TOKEN }}Access scan results in downstream steps:
- name: Scan for secrets
id: scan
uses: keyenv/scan-action@v1
continue-on-error: true
- name: Process results
if: steps.scan.outputs.findings-count > 0
run: |
echo "Found ${{ steps.scan.outputs.findings-count }} secrets"
echo "${{ steps.scan.outputs.findings-json }}" | jq '.findings[]'Use a specific version of the KeyEnv CLI:
- name: Scan for secrets
uses: keyenv/scan-action@v1
with:
version: v0.5.0| Input | Description | Required | Default |
|---|---|---|---|
severity |
Minimum severity to fail the check (critical, high, medium, low) |
No | medium |
path |
Path to scan | No | . |
upload |
Upload results to KeyEnv dashboard | No | false |
token |
KeyEnv service token (required if upload is true) | No | |
version |
KeyEnv CLI version to use | No | latest |
| Output | Description |
|---|---|
findings-count |
Number of secrets found |
findings-json |
JSON object containing all findings and summary |
- critical: Highly sensitive secrets (e.g., production API keys, private keys)
- high: Sensitive credentials (e.g., database passwords, OAuth tokens)
- medium: Potentially sensitive data (e.g., internal API keys)
- low: Low-risk findings (e.g., generic patterns that may be false positives)
- Run on pull requests: Catch secrets before they're merged
- Use
severity: highin CI to reduce false positives - Upload results to track security trends over time
- Store tokens securely: Use GitHub Secrets for your KeyEnv token
name: Security
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
secret-scan:
name: Secret Scanning
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for better detection
- name: Scan for secrets
id: scan
uses: keyenv/scan-action@v1
with:
severity: high
upload: true
token: ${{ secrets.KEYENV_TOKEN }}
- name: Comment on PR
if: failure() && github.event_name == 'pull_request'
uses: actions/github-script@v7
with:
script: |
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: '## Secret Scan Failed\n\nSecrets were detected in this PR. Please remove them before merging.\n\nFound: ${{ steps.scan.outputs.findings-count }} secrets'
})MIT License - see LICENSE for details.