Skip to content
eye

GitHub Action

Run GitLeaks

v1.2.1 Latest version

Run GitLeaks

eye

Run GitLeaks

Installs and runs GitLeaks in your actions workflow

Installation

Copy and paste the following snippet into your .yml file.

              

- name: Run GitLeaks

uses: gacts/[email protected]

Learn more about this action in gacts/gitleaks

Choose a version

Logo

Run GitLeaks action

Release version Build Status License

This action provides a simple way to run GitLeaks in your CI/CD pipeline. It can be run on Linux (ubuntu-latest), macOS (macos-latest), or Windows (windows-latest).

In addition, it supports GitLeaks v8.x (and v7.x), and uses the GitHub caching mechanism to speed up your workflow execution time!

Tip

The config file can be located in .github directory (e.g.: <repo_root>/.github/.gitleaks.toml), and if with.config-path was not provided - it will be used.

Additional Configuration

gitleaks:allow

Note

Since GitLeaks v8.10.0

If you are knowingly committing a test secret that GitLeaks will catch you can add a gitleaks:allow comment to that line which will instruct GitLeaks to ignore that secret. Ex:

class CustomClass:
    discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ' #gitleaks:allow

.gitleaksignore

Note

Since GitLeaks v8.10.0

You can ignore specific findings by creating a .gitleaksignore file at the root of your repo. In release v8.10.0 GitLeaks added a Fingerprint value to the GitLeaks report. Each leak, or finding, has a Fingerprint that uniquely identifies a secret. Add this fingerprint to the .gitleaksignore file to ignore that specific secret. See GitLeaks' .gitleaksignore for an example.

Note

This feature is experimental and is subject to change in the future.

Usage

jobs:
  gitleaks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with: {fetch-depth: 0}

      - name: Check for GitLeaks
        uses: gacts/gitleaks@v1
        #id: gitleaks
        #with:
        #  version: latest
        #  config-path: .github/.gitleaks.toml
        #  path: any/directory/path

      #- if: ${{ always() }} # reason - https://github.com/gitleaks/gitleaks/issues/782
      #  uses: github/codeql-action/upload-sarif@v2
      #  with:
      #    sarif_file: ${{ steps.gitleaks.outputs.sarif }}

Note

You must use actions/checkout before the gacts/gitleaks step with fetch-depth: 0!

Customizing

Inputs

Following inputs can be used as step.with keys:

Name Type Default Required Description
version string latest yes GitLeaks version (latest or in 1.2.3 format)
config-path string built-in no Path to the config file
path string current working directory no Path to source
run boolean true no Set it to true to run GitLeaks, or false if you don't want it to run
fail-on-error boolean true no Set false for exiting without an error when GitLeaks run failed
github-token string ${{ github.token }} no GitHub auth token

Outputs

In subsequent steps you will be able to use the following variables:

Description How to use in your workflow Example
Path to the GitLeaks binary file ${{ steps.gitleaks.outputs.gitleaks-bin }} /tmp/gitleaks-8.7.1/gitleaks
Path to the report in SARIF format ${{ steps.gitleaks.outputs.sarif }} /tmp/gitleaks.sarif
GitLeaks exit code (will be set only if inputs.run is true) ${{ steps.gitleaks.outputs.exit-code }} 1

How do I remove a secret from git's history?

GitHub has a great article on this using the BFG Repo Cleaner.

Alternative projects

Releasing

To release a new version:

  • Build the action distribution (make build or npm run build).
  • Commit and push changes (including dist directory changes - this is important) to the master|main branch.
  • Publish the new release using the repo releases page (the git tag should follow the vX.Y.Z format).

Major and minor git tags (v1 and v1.2 if you publish a v1.2.Z release) will be updated automatically.

Support

Issues Pull Requests

If you find any errors in the action, please create an issue in this repository.

License

This is open-source software licensed under the MIT License.