How to Roll Out Org-Wide Secret Scanning Policy
A reusable workflow plus org defaults gives every repo the same scan without maintaining copies in each one.
Publish a reusable workflow that runs your scanner, call it from each repo (or a required org workflow), and enable native scanning defaults for new repos so coverage is uniform.
Steps
- Create a reusable
secret-scan.ymlwithon: workflow_call. - Call it from each repo, or enforce via a required org workflow.
- Enable native scanning defaults for new repositories at the org level.
Caller workflow
.github/workflows/ci.yml
jobs:
scan:
uses: my-org/ci/.github/workflows/secret-scan.yml@main
secrets: inheritGotchas
- Pin the reusable workflow to a tag or SHA so a change cannot alter every repo unreviewed.
- A repo can opt out unless the workflow is required; enforce at the org level for real coverage.
Related guides
How to Enable GitHub Push Protection and Secret ScanningTurn on GitHub native secret scanning and push protection so provider-partnered credential patterns are block…
How to Schedule Recurring Full Secret Scans in CIRun a full-history secret scan on a schedule with on.schedule and a cron expression, catching secrets in old…