GitHub Action
Run GitLeaks
Run GitLeaks action
This action provides a simple way to run GitLeaks in your CI/CD pipeline. It can be run on Linux (ubuntu-latest), macOS (macos-latest), or Windows (windows-latest).
In addition, it supports GitLeaks v8.x (and v7.x), and uses GitHub caching mechanism to speed up your workflow execution time!
The config file can be located in .github directory (eg.: <repo_root>/.github/.gitleaks.toml), and if with.config-path was not provided - it will be used.
Since GitLeaks v8.10.0
If you are knowingly committing a test secret that gitleaks will catch you can add a gitleaks:allow comment to that line which will instruct gitleaks
to ignore that secret. Ex:
class CustomClass:
discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ' #gitleaks:allowSince GitLeaks v8.10.0
You can ignore specific findings by creating a .gitleaksignore file at the root of your repo. In release v8.10.0 Gitleaks added a Fingerprint value to the Gitleaks report. Each leak, or finding, has a Fingerprint that uniquely identifies a secret. Add this fingerprint to the .gitleaksignore file to ignore that specific secret. See Gitleaks' .gitleaksignore for an example. Note: this feature is expirmental and is subject to change in the future.
jobs:
gitleaks:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
with: {fetch-depth: 0}
- name: Check for GitLeaks
uses: gacts/gitleaks@v1 # Action page: <https://github.com/gacts/gitleaks>
#id: gitleaks
#with:
# version: latest
# config-path: .github/.gitleaks.toml
# path: any/directory/path
#- if: ${{ always() }} # reason - https://github.com/zricethezav/gitleaks/issues/782
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: ${{ steps.gitleaks.outputs.sarif }}Note: You must use
actions/checkoutbefore thegacts/gitleaksstep withfetch-depth: 0!
Following inputs can be used as step.with keys:
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
version |
string |
latest |
yes | GitLeaks version (latest or in 1.2.3 format) |
config-path |
string |
built-in | no | Path to the config file |
path |
string |
current working directory | no | Path to source |
run |
boolean |
true |
no | Set it to true to run GitLeaks, or false if you don't want it to run |
fail-on-error |
boolean |
true |
no | Set false for exiting without an error when GitLeaks run failed |
github-token |
string |
${{ github.token }} |
no | GitHub auth token |
In subsequent steps you will be able to use the following variables:
| Description | How to use in your workflow | Example |
|---|---|---|
| Path to the GitLeaks binary file | ${{ steps.gitleaks.outputs.gitleaks-bin }} |
/tmp/gitleaks-8.7.1/gitleaks |
| Path to the report in SARIF format | ${{ steps.gitleaks.outputs.sarif }} |
/tmp/gitleaks.sarif |
GitLeaks exit code (will be set only if inputs.run is true) |
${{ steps.gitleaks.outputs.exit-code }} |
1 |
GitHub has a great article on this using the BFG Repo Cleaner.
New versions releasing scenario:
- Make required changes in the changelog file
- Build the action distribution (
make buildoryarn build) - Commit and push changes (including
distdirectory changes - this is important) into themasterbranch - Publish new release using repo releases page (git tag should follow
vX.Y.Zformat)
Major and minor git tags (v1 and v1.2 if you publish v1.2.Z release) will be updated automatically.
If you find any action errors, please, make an issue in the current repository.
This is open-sourced software licensed under the MIT License.