How to Scan for PII and Secrets in CI
A secret and PII scanner run as a required check stops credentials and personal data from entering the repository in the first place.
Preventing PII and secrets from landing in source is a common control. This page runs gitleaks with custom PII patterns and fails the build on any hit. It is educational; tune patterns to the data classes you must protect and review findings by hand.
Steps
- Run gitleaks over the diff or full history in CI.
- Add custom rules for the PII shapes you care about (for example national ids).
- Fail the job on findings and require the check for merge.
gitleaks job
.github/workflows/ci.yml
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with: { fetch-depth: 0 }
- uses: gitleaks/gitleaks-action@v2
env:
GITLEAKS_CONFIG: .gitleaks.tomlCustom PII rule
.gitleaks.toml
# .gitleaks.toml
[[rules]]
id = "us-ssn"
description = "US Social Security Number"
regex = '''\b\d{3}-\d{2}-\d{4}\b'''
tags = ["pii"]Notes
- Regex-based PII detection has false positives; route hits to a human before hard-blocking.
- A found secret is already leaked; rotate it, do not just delete the commit.
Related guides
How to Enforce Data Residency in CIKeep CI builds and artifacts in a specific region using region-pinned self-hosted runners and a residency che…
How to Add Vulnerability Gates to CIFail a GitHub Actions build on high or critical vulnerabilities with Trivy, a common SOC 2 and PCI expectatio…
How to Apply Least Privilege to CI TokensScope the GITHUB_TOKEN and OIDC cloud access to the minimum needed in GitHub Actions, so a compromised job ca…