Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/dariuszporowski/github-action-gitleaks
This GitHub Action allows you to run Gitleaks in your GitHub workflow.
https://github.com/dariuszporowski/github-action-gitleaks
devsecops github-actions gitleaks sast secrets secrets-detection secrets-management secrets-scan secrets-scanner security-scan security-scanner static-code-analysis
Last synced: about 2 months ago
JSON representation
This GitHub Action allows you to run Gitleaks in your GitHub workflow.
- Host: GitHub
- URL: https://github.com/dariuszporowski/github-action-gitleaks
- Owner: DariuszPorowski
- License: mit
- Created: 2021-10-29T20:14:51.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2024-02-05T02:58:14.000Z (about 1 year ago)
- Last Synced: 2024-09-19T20:46:37.820Z (5 months ago)
- Topics: devsecops, github-actions, gitleaks, sast, secrets, secrets-detection, secrets-management, secrets-scan, secrets-scanner, security-scan, security-scanner, static-code-analysis
- Language: Shell
- Homepage:
- Size: 94.7 KB
- Stars: 19
- Watchers: 3
- Forks: 9
- Open Issues: 9
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
Awesome Lists containing this project
README
# GitHub Action for Gitleaks
[](https://github.com/marketplace/actions/gitleaks-scanner)
[](https://github.com/DariuszPorowski/github-action-gitleaks/releases/latest)
[](https://github.com/DariuszPorowski/github-action-gitleaks/blob/main/LICENSE)
This GitHub Action allows you to run [Gitleaks](https://github.com/gitleaks/gitleaks) in your CI/CD workflow.
> ⚠️ `v2` of this GitHub Action supports only the latest version of Gitleaks from v8 release.
## Inputs
| Name | Required | Type | Default value | Description |
|---------------|:--------:|:------:|---------------------------------|----------------------------------------------------------------------------------|
| source | false | string | $GITHUB_WORKSPACE | Path to source (relative to $GITHUB_WORKSPACE) |
| config | false | string | /.gitleaks/UDMSecretChecks.toml | Config file path (relative to $GITHUB_WORKSPACE) |
| baseline_path | false | string | *not set* | Path to baseline with issues that can be ignored (relative to $GITHUB_WORKSPACE) |
| report_format | false | string | json | Report file format: json, csv, sarif |
| no_git | false | bool | *not set* | Treat git repos as plain directories and scan those file |
| redact | false | bool | true | Redact secrets from log messages and leaks |
| fail | false | bool | true | Fail if secrets founded |
| verbose | false | bool | true | Show verbose output from scan |
| log_level | false | string | info | Log level (trace, debug, info, warn, error, fatal) |
> ⚠️ The solution provides predefined configuration (See: [.gitleaks](https://github.com/DariuszPorowski/github-action-gitleaks/tree/main/.gitleaks) path). You can override it by yours config using relative to `$GITHUB_WORKSPACE`.
## Outputs
| Name | Description |
|----------|--------------------------------------------------------|
| exitcode | Success (code: 0) or failure (code: 1) value from scan |
| result | Gitleaks result summary |
| output | Gitleaks log output |
| command | Gitleaks executed command |
| report | Report file path |
## Example usage
> ⚠️ You must use `actions/checkout` before the `github-action-gitleaks` step. If you are using `actions/checkout@v3` you must specify a commit depth other than the default which is 1.
>
> Using a `fetch-depth` of '0' clones the entire history. If you want to do a more efficient clone, use '2', but that is not guaranteed to work with pull requests.
### Pull Request with comment
```yaml
---
name: Secret Scan
on:
pull_request:
push:
branches:
- main
# allow one concurrency
concurrency:
group: ${{ format('{0}-{1}-{2}-{3}-{4}', github.workflow, github.event_name, github.ref, github.base_ref, github.head_ref) }}
cancel-in-progress: true
jobs:
gitleaks:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Run Gitleaks
id: gitleaks
uses: DariuszPorowski/github-action-gitleaks@v2
with:
fail: false
- name: Post PR comment
uses: actions/github-script@v6
if: ${{ steps.gitleaks.outputs.exitcode == 1 && github.event_name == 'pull_request' }}
with:
github-token: ${{ github.token }}
script: |
const { GITLEAKS_RESULT, GITLEAKS_OUTPUT } = process.env
const output = `### ${GITLEAKS_RESULT}
Log output
${GITLEAKS_OUTPUT}
`
github.rest.issues.createComment({
...context.repo,
issue_number: context.issue.number,
body: output
})
env:
GITLEAKS_RESULT: ${{ steps.gitleaks.outputs.result }}
GITLEAKS_OUTPUT: ${{ steps.gitleaks.outputs.output }}
```
### With SARIF report
```yaml
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Run Gitleaks
id: gitleaks
uses: DariuszPorowski/github-action-gitleaks@v2
with:
report_format: sarif
fail: false
# (optional) It's just to see outputs from the Action
# please note, the OUTPUT has to be passed via env vars!
- name: Get the output from the gitleaks step
run: |
echo "exitcode: ${{ steps.gitleaks.outputs.exitcode }}"
echo "result: ${{ steps.gitleaks.outputs.result }}"
echo "command: ${{ steps.gitleaks.outputs.command }}"
echo "report: ${{ steps.gitleaks.outputs.report }}"
echo "output: ${GITLEAKS_OUTPUT}"
env:
GITLEAKS_OUTPUT: ${{ steps.gitleaks.outputs.output }}
- name: Upload Gitleaks SARIF report to code scanning service
if: ${{ steps.gitleaks.outputs.exitcode == 1 }}
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.gitleaks.outputs.report }}
```
> ⚠️ SARIF file uploads for code scanning is not available for everyone. Read GitHub docs ([Uploading a SARIF file to GitHub](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github)) for more information.
### With JSON report and custom rules config
```yaml
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Run Gitleaks
id: gitleaks
uses: DariuszPorowski/github-action-gitleaks@v2
with:
config: MyGitleaksConfigs/MyGitleaksConfig.toml
- name: Upload Gitleaks JSON report to artifacts
uses: actions/upload-artifact@v3
if: failure()
with:
name: gitleaks
path: ${{ steps.gitleaks.outputs.report }}
```
## Additional rules
[Jesse Houwing](https://github.com/jessehouwing) provided a Gitleaks config with most of Microsoft's deprecated CredScan rules. Consider using it if you need to scan projects based on Microsoft technologies or Azure Cloud.
- [UDMSecretChecks.toml](https://github.com/jessehouwing/gitleaks-azure/blob/main/UDMSecretChecksv8.toml)
## Contributions
If you have any feedback on `Gitleaks`, please reach out to [Zachary Rice (@zricethezav)](https://github.com/zricethezav) for creating and maintaining [Gitleaks](https://github.com/gitleaks/gitleaks).
Any feedback on the Gitleaks config for Azure `UDMSecretChecks.toml` file is welcome. Follow Jesse Houwing's GitHub repo - [gitleaks-azure](https://github.com/jessehouwing/gitleaks-azure).
Thanks to [C.J. May (@lawndoc)](https://github.com/lawndoc) for contributing 🤘
Any feedback or contribution to this project is welcome!
## How do I remove a secret from Git's history?
[GitHub](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository) has a great article on this using the [BFG Repo Cleaner](https://rtyley.github.io/bfg-repo-cleaner/).