How to Set Up Gitleaks Secret Scanning in CI
gitleaks/gitleaks-action runs the Gitleaks scanner on your checkout and fails the job when it finds a credential.
Check out the repo with full history, then run gitleaks/gitleaks-action. It scans commits for secrets using the default rules and exits non-zero on any finding.
Steps
- Check out with
fetch-depth: 0so Gitleaks sees full history. - Add the
gitleaks/gitleaks-action@v2step. - Let a non-zero exit fail the job so leaks block the merge.
Workflow
.github/workflows/ci.yml
name: secret-scan
on: [push, pull_request]
jobs:
gitleaks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2
env:
GITLEAKS_ENABLE_UPLOAD_ARTIFACT: "false"Gotchas
- Without
fetch-depth: 0the action only sees the latest commit and misses history. - If a real secret is found, rotate it first (assume it is compromised) before touching the scanner config.
Related guides
How to Configure Gitleaks Rules With .gitleaks.tomlCustomize Gitleaks detection by extending the default rule set in a .gitleaks.toml, adding your own regex rul…
How to Scan Full Git History for Secrets in CIScan the entire commit history for leaked secrets in CI by checking out with fetch-depth 0, so a credential d…