Skip to content
Latchkey

How to Set Up Gitleaks Secret Scanning in CI

gitleaks/gitleaks-action runs the Gitleaks scanner on your checkout and fails the job when it finds a credential.

Check out the repo with full history, then run gitleaks/gitleaks-action. It scans commits for secrets using the default rules and exits non-zero on any finding.

Steps

  • Check out with fetch-depth: 0 so Gitleaks sees full history.
  • Add the gitleaks/gitleaks-action@v2 step.
  • Let a non-zero exit fail the job so leaks block the merge.

Workflow

.github/workflows/ci.yml
name: secret-scan
on: [push, pull_request]
jobs:
  gitleaks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: gitleaks/gitleaks-action@v2
        env:
          GITLEAKS_ENABLE_UPLOAD_ARTIFACT: "false"

Gotchas

  • Without fetch-depth: 0 the action only sees the latest commit and misses history.
  • If a real secret is found, rotate it first (assume it is compromised) before touching the scanner config.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →