How to Run a Secrets Scan on PRs in GitHub Actions
A committed API key is a security incident the moment it merges; a secrets scan stops it at the PR.
Run gitleaks over the PR diff so any matching credential pattern fails the check and blocks the merge.
Steps
- Check out with full history so gitleaks can scan the diff (
fetch-depth: 0). - Run the gitleaks action against the repository.
- Maintain a
.gitleaks.tomlallowlist for false positives like example tokens.
Workflow
.github/workflows/secrets-scan.yml
name: Secrets Scan
on: [pull_request]
jobs:
gitleaks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}Notes
- Rotate any secret the scan finds; CI failing does not undo the exposure.
- On Latchkey managed runners secret scans run cheaper and self-heal if a runner dies.
Related guides
How to Run a Dependency Audit in GitHub ActionsRun npm audit in GitHub Actions and fail the build on high-severity vulnerabilities so a known CVE in a depen…
How to Mask a Custom Secret in Logs in GitHub ActionsMask a value computed at runtime in GitHub Actions logs with the add-mask workflow command so a derived token…