Skip to content
Latchkey

How to Roll Out Org-Wide Secret Scanning Policy

A reusable workflow plus org defaults gives every repo the same scan without maintaining copies in each one.

Publish a reusable workflow that runs your scanner, call it from each repo (or a required org workflow), and enable native scanning defaults for new repos so coverage is uniform.

Steps

  • Create a reusable secret-scan.yml with on: workflow_call.
  • Call it from each repo, or enforce via a required org workflow.
  • Enable native scanning defaults for new repositories at the org level.

Caller workflow

.github/workflows/ci.yml
jobs:
  scan:
    uses: my-org/ci/.github/workflows/secret-scan.yml@main
    secrets: inherit

Gotchas

  • Pin the reusable workflow to a tag or SHA so a change cannot alter every repo unreviewed.
  • A repo can opt out unless the workflow is required; enforce at the org level for real coverage.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →