GitHub Action
Run GitLeaks
Run GitLeaks action
This action provides a simple way to run GitLeaks in your CI/CD pipeline. It can be run on Linux
(ubuntu-latest), macOS (macos-latest), or Windows (windows-latest).
In addition, it supports GitLeaks v8.x (and v7.x), and uses the GitHub caching mechanism to speed up your workflow execution time!
Tip
The config file can be located
in .github directory (e.g.: <repo_root>/.github/.gitleaks.toml), and if with.config-path was not
provided - it will be used.
Note
Since GitLeaks v8.10.0
If you are knowingly committing a test secret that GitLeaks will catch you can add a gitleaks:allow comment to
that line which will instruct GitLeaks to ignore that secret. Ex:
class CustomClass:
discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ' #gitleaks:allowNote
Since GitLeaks v8.10.0
You can ignore specific findings by creating a .gitleaksignore file at the root of your repo. In release v8.10.0
GitLeaks added a Fingerprint value to the GitLeaks report. Each leak, or finding, has a Fingerprint that uniquely
identifies a secret. Add this fingerprint to the .gitleaksignore file to ignore that specific secret. See
GitLeaks' .gitleaksignore for an example.
Note
This feature is experimental and is subject to change in the future.
jobs:
gitleaks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with: {fetch-depth: 0}
- name: Check for GitLeaks
uses: gacts/gitleaks@v1
#id: gitleaks
#with:
# version: latest
# config-path: .github/.gitleaks.toml
# path: any/directory/path
#- if: ${{ always() }} # reason - https://github.com/gitleaks/gitleaks/issues/782
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: ${{ steps.gitleaks.outputs.sarif }}Note
You must use actions/checkout before the gacts/gitleaks step with fetch-depth: 0!
Following inputs can be used as step.with keys:
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
version |
string |
latest |
yes | GitLeaks version (latest or in 1.2.3 format) |
config-path |
string |
built-in | no | Path to the config file |
path |
string |
current working directory | no | Path to source |
run |
boolean |
true |
no | Set it to true to run GitLeaks, or false if you don't want it to run |
fail-on-error |
boolean |
true |
no | Set false for exiting without an error when GitLeaks run failed |
github-token |
string |
${{ github.token }} |
no | GitHub auth token |
In subsequent steps you will be able to use the following variables:
| Description | How to use in your workflow | Example |
|---|---|---|
| Path to the GitLeaks binary file | ${{ steps.gitleaks.outputs.gitleaks-bin }} |
/tmp/gitleaks-8.7.1/gitleaks |
| Path to the report in SARIF format | ${{ steps.gitleaks.outputs.sarif }} |
/tmp/gitleaks.sarif |
GitLeaks exit code (will be set only if inputs.run is true) |
${{ steps.gitleaks.outputs.exit-code }} |
1 |
GitHub has a great article on this using the BFG Repo Cleaner.
- Official GitHub action (license key is required)
To release a new version:
- Build the action distribution (
make buildornpm run build). - Commit and push changes (including
distdirectory changes - this is important) to themaster|mainbranch. - Publish the new release using the repo releases page (the git tag should follow the
vX.Y.Zformat).
Major and minor git tags (v1 and v1.2 if you publish a v1.2.Z release) will be updated automatically.
Tip
Use Dependabot to keep this action updated in your repository.
If you find any errors in the action, please create an issue in this repository.
This is open-source software licensed under the MIT License.