{"id":14985918,"url":"https://github.com/gitleaks/gitleaks-action","last_synced_at":"2026-01-12T02:48:30.184Z","repository":{"id":37257779,"uuid":"242854909","full_name":"gitleaks/gitleaks-action","owner":"gitleaks","description":"Protect your secrets using Gitleaks-Action","archived":false,"fork":false,"pushed_at":"2025-04-17T01:58:55.000Z","size":2774,"stargazers_count":387,"open_issues_count":40,"forks_count":145,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-05-06T18:08:22.201Z","etag":null,"topics":["action","actions","github","github-actions","secret-scanner","secret-scanning","secrets","security","security-automation","security-tools","static-analysis"],"latest_commit_sha":null,"homepage":"https://gitleaks.io","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gitleaks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-02-24T22:11:13.000Z","updated_at":"2025-05-06T13:03:54.000Z","dependencies_parsed_at":"2024-02-22T03:28:44.006Z","dependency_job_id":"89559e87-4f8c-4704-981d-fc4f45e0a03f","html_url":"https://github.com/gitleaks/gitleaks-action","commit_stats":{"total_commits":234,"total_committers":18,"mean_commits":13.0,"dds":0.4786324786324786,"last_synced_commit":"83373cf2f8c4db6e24b41c1a9b086bb9619e9cd3"},"previous_names":[],"tags_count":41,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitleaks%2Fgitleaks-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitleaks%2Fgitleaks-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitleaks%2Fgitleaks-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitleaks%2Fgitleaks-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gitleaks","download_url":"https://codeload.github.com/gitleaks/gitleaks-action/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254436949,"owners_count":22070947,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["action","actions","github","github-actions","secret-scanner","secret-scanning","secrets","security","security-automation","security-tools","static-analysis"],"created_at":"2024-09-24T14:11:56.974Z","updated_at":"2026-01-12T02:48:30.176Z","avatar_url":"https://github.com/gitleaks.png","language":"JavaScript","funding_links":[],"categories":["Security","JavaScript"],"sub_categories":[],"readme":"# Gitleaks Action\n\n```\n\n  ┌─○───┐\n  │ │╲  │\n  │ │ ○ │\n  │ ○ ┌─┴───────────────────┐\n  └─░─┤  4 github actions   │\n      └─────────────────────┘\n\n```\n\n\u003cp align=\"left\"\u003e\n    \u003ca href=\"https://github.com/zricethezav/gitleaks-action\"\u003e\n        \u003cimg alt=\"gitleaks badge\" src=\"https://img.shields.io/badge/protected%20by-gitleaks-blue\"\u003e\n    \u003c/a\u003e\n\u003c/p\u003e\n\nGitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, API keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code. Enable **Gitleaks-Action** in your GitHub workflows to be alerted when secrets are leaked as soon as they happen. Check out our demos [here (.gif)](https://user-images.githubusercontent.com/15034943/178513034-de5a1906-b71d-454a-a792-47b7ac0e21e6.gif) and [here (.png)](https://user-images.githubusercontent.com/15034943/193462170-7314a63b-1c37-4c9e-ac93-33d6d3fc561a.png), or see what's new in v2 [here](v2.md). Don't forget to check out our [blog](https://blog.gitleaks.io), which details how to configure and set up Gitleaks-Action for organizations and enterprises.\n\n## Usage Example\n\n```yml\nname: gitleaks\non:\n  pull_request:\n  push:\n  workflow_dispatch:\n  schedule:\n    - cron: \"0 4 * * *\" # run once a day at 4 AM\njobs:\n  scan:\n    name: gitleaks\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n        with:\n          fetch-depth: 0\n      - uses: gitleaks/gitleaks-action@v2\n        env:\n          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} # Only required for Organizations, not personal accounts.\n```\n\n\n---\n### Environment Variables:\n\n- `GITHUB_TOKEN`: This variable is automatically assigned by GitHub when any action gets kicked off. You can read more about the token [here](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret).\n  **gitleaks-action** uses this token to call [a GitHub API](https://octokit.github.io/rest.js/v18#pulls-create-review-comment) to comment on PRs.\n- `GITLEAKS_LICENSE` (required for organizations, not required for user accounts): A **gitleaks-action** license can be obtained at [gitleaks.io](https://gitleaks.io). **It should be added as an encrypted secret [to the repo](https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository) or [to the organization](https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-an-organization).**\n- `GITLEAKS_NOTIFY_USER_LIST` (optional): A list of GitHub accounts that should be alerted when **gitleaks-action** detects a leak. An email will be sent by GitHub to the user if their GitHub notification settings permit it. The format should be comma-separated with each username prefixed with `@`. Ex: `@octocat,@zricethezav,@gitleaks`. Spaces are okay too.\n- `GITLEAKS_ENABLE_COMMENTS` (optional): Boolean value that turns on or off PR commenting. Default value is `true`.\n  Set to `false` to disable comments.\n- `GITLEAKS_CONFIG` (optional): Path to a [gitleaks configuration file](https://github.com/zricethezav/gitleaks#configuration).\n- `GITLEAKS_ENABLE_UPLOAD_ARTIFACT` (optional): Boolean value that turns on or off uploading a sarif artifact when gitleaks detects secrets. Defaults to `true`.\n- `GITLEAKS_ENABLE_SUMMARY` (optional): Boolean value to enable or disable gitleaks job summary. Defaults to `true`.\n- `GITLEAKS_VERSION` (optional): A particular Gitleaks version to use (e.g. `8.15.3`, no `v` prefix) or use `latest` to always use the newest available version. Defaults to a hard-coded version number.\n---\n\n## Questions\n\n### Do I need a _free_ license key?\nIf you are scanning repos that belong to [an organization account](https://docs.github.com/en/organizations/collaborating-with-groups-in-organizations/about-organizations), you will need to obtain a [free license key](https://gitleaks.io)\n\nIf you are scanning repos that belong to [a personal account](https://docs.github.com/en/get-started/learning-about-github/types-of-github-accounts#personal-accounts), then no license key is required.\n\n### How do I get a _free_ license key?\n\nYou can visit [gitleaks.io](https://gitleaks.io) to sign up for a\nfree license key. Clicking \"Sign Up\" will take you to a google form where you will need to supply name, email, and company. An email with a license key will show up shortly after submission.\n\n### Can I use a custom gitleaks configuration?\n\nYou can! This GitHub Action follows a similar order of precedence\nas the gitleaks CLI tool. You can use `GITLEAKS_CONFIG` to explicitly set a\nconfig path _or_ create a `gitleaks.toml` at the root of the repo which will be\nautomatically detected and used by **gitleaks-action**.\n\n### Does this GitHub Action send any data to 3rd parties?\n\nThe only data that **gitleaks-action** sends to any third party is data related to license key validation (namely `GITLEAKS_LICENSE`, [repo name](https://github.com/zricethezav/gitleaks-action/blob/v2/src/keygen.js#L76), and [repo owner](https://github.com/zricethezav/gitleaks-action/blob/v2/src/keygen.js#L18)), which is sent to the license key validation service, [keygen](https://keygen.sh). Your code never leaves GitHub because the scanning takes place within the GitHub Actions docker container.\n\n### Can I use **gitleaks-action** as a third-party tool for [GitHub code scanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/setting-up-code-scanning-for-a-repository)?\n\nYou _can_ but it is not recommended because it gives a false sense of security. If a secret is leaked in one commit, then removed in a subsequent commit,\nthe security alert in the GitHub Security dashboard will show as resolved, even though the secret is still visible in the commit history. To truly address the leak,\nyou should rotate the secret (and also consider re-writing the git history to remove the leak altogether).\n\n### Why is my gitleaks-action job suddenly failing?\n_6/21/2022_\n\nOn June 21, 2022, we merged [Gitleaks Action v2](https://github.com/gitleaks/gitleaks-action/releases/tag/v2.0.0) into the `master` branch. This was a breaking update, and we made an effort to contact as many of our users as possible via GitHub, social media, etc. If you didn't know this breaking update was coming, we sincerely apologize for the inconvenience. The good news is, remedying the job failure is straightforward! You can either:\n1. [Upgrade to v2](v2.md#how-to-upgrade-to-v2), or\n1. [Pin to an older version](v2.md#how-to-pin-to-v160)\n\nPlease note that if you are scanning repos that belong to an organization, you'll have to [acquire a GITLEAKS_LICENSE](https://github.com/gitleaks/gitleaks-action#environment-variables) to use v2 (free \"Trial\" license available). That might come as a surprise to my users that are accustomed to using Gitleaks-Action free of charge, so I wrote a blog post explaining how/why I decided to monetize this project: https://blog.gitleaks.io/gitleaks-llc-announcement-d7d06a52e801\n\nFinally, please see above for a summary of why I think you'll love the new v2 release: [v2 Benefits](v2.md#v2-benefits)\n\n### How can I get a gitleaks badge on my readme?\n\nEnable this **gitleaks-action** and copy\n`\u003cimg alt=\"gitleaks badge\" src=\"https://img.shields.io/badge/protected%20by-gitleaks-blue\"\u003e` to your readme.\n\n## License Change\nSince v2.0.0 of Gitleaks-Action, the license has changed from MIT to a [license](LICENSE.txt). Prior versions to v2.0.0 of Gitleaks-Actions will remain under the MIT license.\n\n## Contributing\nPlease see our [contributing guidelines](CONTRIBUTING.md).\n\n_Copyright © 2022 Gitleaks LLC - All Rights Reserved_\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgitleaks%2Fgitleaks-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgitleaks%2Fgitleaks-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgitleaks%2Fgitleaks-action/lists"}