Skip to content
Latchkey

How to Scan for PII and Secrets in CI

A secret and PII scanner run as a required check stops credentials and personal data from entering the repository in the first place.

Preventing PII and secrets from landing in source is a common control. This page runs gitleaks with custom PII patterns and fails the build on any hit. It is educational; tune patterns to the data classes you must protect and review findings by hand.

Steps

  • Run gitleaks over the diff or full history in CI.
  • Add custom rules for the PII shapes you care about (for example national ids).
  • Fail the job on findings and require the check for merge.

gitleaks job

.github/workflows/ci.yml
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with: { fetch-depth: 0 }
      - uses: gitleaks/gitleaks-action@v2
        env:
          GITLEAKS_CONFIG: .gitleaks.toml

Custom PII rule

.gitleaks.toml
# .gitleaks.toml
[[rules]]
id = "us-ssn"
description = "US Social Security Number"
regex = '''\b\d{3}-\d{2}-\d{4}\b'''
tags = ["pii"]

Notes

  • Regex-based PII detection has false positives; route hits to a human before hard-blocking.
  • A found secret is already leaked; rotate it, do not just delete the commit.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →