Gitleaks-Action is a GitHub Action that automatically detects and prevents hardcoded secrets like passwords and API keys in git repositories to protect sensitive data.
Protect your secrets using Gitleaks-Action
This tool is used by developers and security teams to automate secret scanning within GitHub workflows, ensuring that any accidental exposure of sensitive information in code commits or pull requests is quickly identified and remediated. It is especially useful for organizations aiming to enforce compliance and secure their codebases against secret leaks.
Organizations must obtain and configure a free license key via GITLEAKS_LICENSE environment variable; personal accounts do not require this. Ensure GITHUB_TOKEN is properly set to enable PR commenting and API interactions. Customize scanning behavior and notifications through optional environment variables. Using fetch-depth: 0 in checkout is critical to scan full git history for past secrets.
Add the gitleaks-action to your GitHub workflow YAML file under jobs
Use actions/checkout@v4 with fetch-depth: 0 to ensure full git history is available
Reference gitleaks/gitleaks-action@v2 in the workflow steps
Set required environment variables such as GITHUB_TOKEN and optionally GITLEAKS_LICENSE for organizations
Optionally configure additional environment variables for notifications, comments, config path, and artifact uploadsname: gitleaks on: pull_request: push: workflow_dispatch: schedule: - cron: "0 4 * * *" jobs: scan: name: gitleaks runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
Example GitHub Actions workflow configuration to run gitleaks on pull requests, pushes, manual triggers, and scheduled daily scans, with full git history checkout and license support.