Skip to content
Latchkey

How to Run a Secrets Scan on PRs in GitHub Actions

A committed API key is a security incident the moment it merges; a secrets scan stops it at the PR.

Run gitleaks over the PR diff so any matching credential pattern fails the check and blocks the merge.

Steps

  • Check out with full history so gitleaks can scan the diff (fetch-depth: 0).
  • Run the gitleaks action against the repository.
  • Maintain a .gitleaks.toml allowlist for false positives like example tokens.

Workflow

.github/workflows/secrets-scan.yml
name: Secrets Scan
on: [pull_request]
jobs:
  gitleaks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Notes

  • Rotate any secret the scan finds; CI failing does not undo the exposure.
  • On Latchkey managed runners secret scans run cheaper and self-heal if a runner dies.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →