Skip to content
You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
eye

GitHub Action

Run GitLeaks

v1.2.0

Run GitLeaks

eye

Run GitLeaks

Installs and runs GitLeaks in your actions workflow

Installation

Copy and paste the following snippet into your .yml file.

              

- name: Run GitLeaks

uses: gacts/gitleaks@v1.2.0

Learn more about this action in gacts/gitleaks

Choose a version

Logo

Run GitLeaks action

Release version Build Status License

This action provides a simple way to run GitLeaks in your CI/CD pipeline. It can be run on Linux (ubuntu-latest), macOS (macos-latest), or Windows (windows-latest).

In addition, it supports GitLeaks v8.x (and v7.x), and uses GitHub caching mechanism to speed up your workflow execution time!

The config file can be located in .github directory (eg.: <repo_root>/.github/.gitleaks.toml), and if with.config-path was not provided - it will be used.

Additional Configuration

gitleaks:allow

Since GitLeaks v8.10.0

If you are knowingly committing a test secret that gitleaks will catch you can add a gitleaks:allow comment to that line which will instruct gitleaks to ignore that secret. Ex:

class CustomClass:
    discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ'  #gitleaks:allow

.gitleaksignore

Since GitLeaks v8.10.0

You can ignore specific findings by creating a .gitleaksignore file at the root of your repo. In release v8.10.0 Gitleaks added a Fingerprint value to the Gitleaks report. Each leak, or finding, has a Fingerprint that uniquely identifies a secret. Add this fingerprint to the .gitleaksignore file to ignore that specific secret. See Gitleaks' .gitleaksignore for an example. Note: this feature is expirmental and is subject to change in the future.

Usage

jobs:
  gitleaks:
    runs-on: ubuntu-20.04
    steps:
      - uses: actions/checkout@v3
        with: {fetch-depth: 0}

      - name: Check for GitLeaks
        uses: gacts/gitleaks@v1 # Action page: <https://github.com/gacts/gitleaks>
        #id: gitleaks
        #with:
        #  version: latest
        #  config-path: .github/.gitleaks.toml
        #  path: any/directory/path

      #- if: ${{ always() }} # reason - https://github.com/zricethezav/gitleaks/issues/782
      #  uses: github/codeql-action/upload-sarif@v2
      #  with:
      #    sarif_file: ${{ steps.gitleaks.outputs.sarif }}

Note: You must use actions/checkout before the gacts/gitleaks step with fetch-depth: 0!

Customizing

Inputs

Following inputs can be used as step.with keys:

Name Type Default Required Description
version string latest yes GitLeaks version (latest or in 1.2.3 format)
config-path string built-in no Path to the config file
path string current working directory no Path to source
run boolean true no Set it to true to run GitLeaks, or false if you don't want it to run
fail-on-error boolean true no Set false for exiting without an error when GitLeaks run failed
github-token string ${{ github.token }} no GitHub auth token

Outputs

In subsequent steps you will be able to use the following variables:

Description How to use in your workflow Example
Path to the GitLeaks binary file ${{ steps.gitleaks.outputs.gitleaks-bin }} /tmp/gitleaks-8.7.1/gitleaks
Path to the report in SARIF format ${{ steps.gitleaks.outputs.sarif }} /tmp/gitleaks.sarif
GitLeaks exit code (will be set only if inputs.run is true) ${{ steps.gitleaks.outputs.exit-code }} 1

How do I remove a secret from git's history?

GitHub has a great article on this using the BFG Repo Cleaner.

Alternative projects

Releasing

New versions releasing scenario:

  • Make required changes in the changelog file
  • Build the action distribution (make build or yarn build)
  • Commit and push changes (including dist directory changes - this is important) into the master branch
  • Publish new release using repo releases page (git tag should follow vX.Y.Z format)

Major and minor git tags (v1 and v1.2 if you publish v1.2.Z release) will be updated automatically.

Support

Issues Issues

If you find any action errors, please, make an issue in the current repository.

License

This is open-sourced software licensed under the MIT License.