{"id":15750492,"url":"https://github.com/guibranco/github-infisical-secrets-check-action","last_synced_at":"2026-05-11T09:56:57.705Z","repository":{"id":257069763,"uuid":"857416485","full_name":"guibranco/github-infisical-secrets-check-action","owner":"guibranco","description":"🚨 :octocat: A GitHub action to check and report secrets leaks in the repository using Infisical CLI","archived":false,"fork":false,"pushed_at":"2026-05-11T06:57:43.000Z","size":347,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-05-11T08:37:14.001Z","etag":null,"topics":["gh-actions","github-actions","hacktoberfest","hacktoberfest2024","infisical","secrets","security","security-analysis","validation"],"latest_commit_sha":null,"homepage":"http://guilherme.stracini.com.br/github-infisical-secrets-check-action/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/guibranco.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-09-14T15:47:50.000Z","updated_at":"2026-05-11T06:56:54.000Z","dependencies_parsed_at":"2025-01-20T07:31:28.037Z","dependency_job_id":"98e4f735-151f-4a37-8b92-97bd65e4c901","html_url":"https://github.com/guibranco/github-infisical-secrets-check-action","commit_stats":{"total_commits":47,"total_committers":3,"mean_commits":"15.666666666666666","dds":0.3191489361702128,"last_synced_commit":"9ea74f303419b9303389faea55639356e4626a0c"},"previous_names":["guibranco/github-infisical-secrets-check-action"],"tags_count":139,"template":false,"template_full_name":null,"purl":"pkg:github/guibranco/github-infisical-secrets-check-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/guibranco%2Fgithub-infisical-secrets-check-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/guibranco%2Fgithub-infisical-secrets-check-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/guibranco%2Fgithub-infisical-secrets-check-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/guibranco%2Fgithub-infisical-secrets-check-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/guibranco","download_url":"https://codeload.github.com/guibranco/github-infisical-secrets-check-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/guibranco%2Fgithub-infisical-secrets-check-action/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32889971,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-10T13:40:02.631Z","status":"online","status_checked_at":"2026-05-11T02:00:05.975Z","response_time":120,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gh-actions","github-actions","hacktoberfest","hacktoberfest2024","infisical","secrets","security","security-analysis","validation"],"created_at":"2024-10-04T06:41:00.544Z","updated_at":"2026-05-11T09:56:57.686Z","avatar_url":"https://github.com/guibranco.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# GitHub Infisical secrets check Action\n\n[![GitHub repo](https://img.shields.io/badge/GitHub-guibranco%2Fgithub--infisical--secrets--check--action-green.svg?style=plastic\u0026logo=github)](https://github.com/guibranco/github-infisical-secrets-check-action \"shields.io\")\n[![GitHub last commit](https://img.shields.io/github/last-commit/guibranco/github-infisical-secrets-check-action?color=green\u0026logo=github\u0026style=plastic\u0026label=Last%20commit)](https://github.com/guibranco/github-infisical-secrets-check-action \"shields.io\")\n[![GitHub license](https://img.shields.io/github/license/guibranco/github-infisical-secrets-check-action?color=green\u0026logo=github\u0026style=plastic\u0026label=License)](https://github.com/guibranco/github-infisical-secrets-check-action \"shields.io\")\n\n![CI](https://github.com/guibranco/github-infisical-secrets-check-action/actions/workflows/ci.yml/badge.svg)\n![Test](https://github.com/guibranco/github-infisical-secrets-check-action/actions/workflows/test.yml/badge.svg)\n[![wakatime](https://wakatime.com/badge/github/guibranco/github-infisical-secrets-check-action.svg)](https://wakatime.com/badge/github/guibranco/github-infisical-secrets-check-action)\n\n🚨 :octocat: A GitHub action to check and report secret leaks in the repository using [Infisical CLI](https://infisical.com/docs/cli/commands/scan).\n\n---\n\n## Usage\n\nThe following workflow step will scan for secret leaks in your repository.\n\n```yml\n- name: Infisical Secrets Check\n  id: secrets-scan\n  uses: guibranco/github-infisical-secrets-check-action@v5.0.1\n````\n\n---\n\n## Inputs\n\n| Input         | Description                                    | Required | Default               |\n| ------------- | ---------------------------------------------- | -------- | --------------------- |\n| `GH_TOKEN`    | GitHub token to add comments in pull requests  | No       | `${{ github.TOKEN }}` |\n| `ADD_COMMENT` | Whether to comment results in the pull request | No       | `true`                |\n\n---\n\n## Outputs\n\n| Output           | Description                                                  |\n| ---------------- | ------------------------------------------------------------ |\n| `secrets-leaked` | The number of secrets leaked found by the Infisical CLI tool |\n\n---\n\n## Examples\n\n### Basic usage with default settings\n\n```yml\nname: Infisical secrets check\n\non:\n  workflow_dispatch:\n  pull_request:\n\njobs:\n  secrets-check:\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n      pull-requests: write\n    steps:\n      - name: Infisical Secrets Check\n        uses: guibranco/github-infisical-secrets-check-action@v5.0.1\n```\n\n---\n\n### With a custom GitHub token\n\n```yml\nname: Infisical secrets check\n\non:\n  workflow_dispatch:\n  pull_request:\n\njobs:\n  secrets-check:\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n      pull-requests: write\n    steps:\n      - name: Infisical Secrets Check\n        uses: guibranco/github-infisical-secrets-check-action@v5.0.1\n        with:\n          GH_TOKEN: ${{ secrets.CUSTOM_GH_TOKEN }}\n```\n\nRemember to add the repository secret `CUSTOM_GH_TOKEN`.\n\n---\n\n### Disable PR comments\n\n```yml\nname: Infisical secrets check\n\non:\n  workflow_dispatch:\n  pull_request:\n\njobs:\n  secrets-check:\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n      pull-requests: write\n    steps:\n      - name: Infisical Secrets Check\n        uses: guibranco/github-infisical-secrets-check-action@v5.0.1\n        with:\n          ADD_COMMENT: false\n```\n\n---\n\n### Using outputs in subsequent steps\n\n```yml\nname: Infisical secrets check\n\non:\n  workflow_dispatch:\n  pull_request:\n\njobs:\n  secrets-check:\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n      pull-requests: write\n    steps:\n      - name: Infisical Secrets Check\n        id: secrets-scan\n        uses: guibranco/github-infisical-secrets-check-action@v5.0.1\n        \n      - name: Handle secrets found\n        if: steps.secrets-scan.outputs.secrets-leaked \u003e 0\n        run: |\n          echo \"Found ${{ steps.secrets-scan.outputs.secrets-leaked }} leaked secrets!\"\n          # Add your custom handling logic here\n```\n\n---\n\n## Sample outputs\n\n### Success - ✅ No secrets leaked\n\n![success](success.png)\n\n---\n\n### Failure - 🚨 Secrets leaked!\n\nVersion 5 introduces an improved remediation workflow:\n\nWhen secrets are detected, the action now:\n\n* Shows detected fingerprints\n* Generates `.infisicalignore` update suggestions\n* Provides a **Commit suggestion button directly inside the PR comment**\n* Automatically creates or updates `.infisicalignore`\n* Prevents duplicate fingerprints\n\nThis allows contributors to fix false positives **without leaving the pull request UI**.\n\n![failure](failure.png)\n\n---\n\n### Tool Failure - ⚠️ Unable to complete scan\n\nWhen the Infisical CLI fails to run (due to network issues, API rate limiting, etc.), the action will post a clear error message:\n\n* Explains that this is a tool failure, not a security issue\n* Provides suggestions for resolution (re-run workflow, check logs)\n* Includes a link to workflow logs for debugging\n* Clarifies that the failure doesn't mean secrets were found\n\n---\n\n## Features\n\n* 🔍 **Comprehensive scanning** using the latest Infisical CLI\n* 💬 **Smart PR comments** with structured scan results\n* 🧠 **Interactive remediation workflow (new in v5)** with commit suggestion support\n* 📝 **Automatic `.infisicalignore` generation/update suggestions**\n* 🧹 **Duplicate fingerprint prevention**\n* 📊 **Detailed CSV and Markdown reports**\n* 🔒 **Fork-safe execution**\n* ⚡ **Efficient dependency caching**\n* 🛡️ **Robust failure detection and reporting**\n* 📎 **Workflow-friendly outputs**\n* 🔧 **Configurable comment behavior**\n\n---\n\n## Error Handling\n\nVersion 4 introduced improved error handling that prevents confusing empty comments.\n\nVersion 5 builds on this by improving remediation guidance:\n\n* Generates commit suggestions for ignore rules\n* Prevents duplicate ignore entries\n* Improces PR workflow ergonomics\n* Keeps scan failures clearly separated from security failures\n\nThe action will fail the workflow appropriately, providing meaningful feedback on what went wrong and how to resolve it.\n\n---\n\n## Permissions\n\nThe action requires the following permissions:\n\n```yml\npermissions:\n  contents: read\n  pull-requests: write\n```\n\n---\n\n## Ignoring False Positives\n\nIf the scan detects false positives:\n\nVersion 5 allows you to fix them directly from the PR comment.\n\nThe action now automatically:\n\n1. Detects whether `.infisicalignore` exists\n2. Creates the file if missing\n3. Appends fingerprints if present\n4. Removes duplicates automatically\n5. Generates a **Commit suggestion button**\n\nSimply click the suggestion button inside the PR comment to apply the ignore list instantly.\n\nManual fallback (still supported):\n\nCreate a `.infisicalignore` file at repository root:\n\n```\nfingerprint_value_here\nanother_fingerprint_here\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fguibranco%2Fgithub-infisical-secrets-check-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fguibranco%2Fgithub-infisical-secrets-check-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fguibranco%2Fgithub-infisical-secrets-check-action/lists"}