gitleaks-action
by gitleaks
Gitleaks-Action is a GitHub Action that automatically detects and prevents hardcoded secrets like passwords and API keys in git repositories to protect sensitive data.
Protect your secrets using Gitleaks-Action
Primary Use Case
This tool is used by developers and security teams to automate secret scanning within GitHub workflows, ensuring that any accidental exposure of sensitive information in code commits or pull requests is quickly identified and remediated. It is especially useful for organizations aiming to enforce compliance and secure their codebases against secret leaks.
- Detects hardcoded secrets such as passwords, API keys, and tokens in git repositories
- Integrates seamlessly as a GitHub Action in CI/CD workflows
- Supports scanning on pull requests, pushes, manual triggers, and scheduled runs
- Comments directly on pull requests when secrets are detected
- Configurable via environment variables and custom configuration files
- Supports license-based usage for organizations
- Uploads SARIF artifacts for security reporting
- Allows notification of specific GitHub users on secret leaks
Installation
- Add the gitleaks-action to your GitHub workflow YAML file under jobs
- Use actions/checkout@v4 with fetch-depth: 0 to ensure full git history is available
- Reference gitleaks/gitleaks-action@v2 in the workflow steps
- Set required environment variables such as GITHUB_TOKEN and optionally GITLEAKS_LICENSE for organizations
- Optionally configure additional environment variables for notifications, comments, config path, and artifact uploads
Usage
>_ name: gitleaks
on:
pull_request:
push:
workflow_dispatch:
schedule:
- cron: "0 4 * * *"
jobs:
scan:
name: gitleaks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}Example GitHub Actions workflow configuration to run gitleaks on pull requests, pushes, manual triggers, and scheduled daily scans, with full git history checkout and license support.
- Integrate Gitleaks-Action into CI/CD pipelines for early detection of secret leaks before deployment.
- Configure automated pull request comments to accelerate developer remediation and reduce secret exposure time.
- Leverage SARIF artifact uploads to feed centralized security dashboards for compliance auditing and trend analysis.
- Use notification features to alert security champions or DevSecOps teams immediately upon secret detection.
- Combine with secret vault solutions to automate secret rotation upon detection of leaked credentials.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about gitleaks-action. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
This tool hasn't been indexed yet. Request indexing to enable AI chat.
Admin will review your request within 24 hours
Related Tools
server
nextcloud/server
☁️ Nextcloud server, a safe home for all your data
gitleaks
gitleaks/gitleaks
Find secrets with Gitleaks 🔑
trufflehog
trufflesecurity/trufflehog
Find, verify, and analyze leaked credentials
Ciphey
bee-san/Ciphey
⚡ Automatically decrypt encryptions without knowing the key or cipher, decode encodings, and crack hashes ⚡
sops
getsops/sops
Simple and flexible tool for managing secrets
dotenv
motdotla/dotenv
Loads environment variables from .env for nodejs projects.