How to Scan CI Build Logs for Leaked Secrets
A command that echoes a variable can print a secret into the job log; mask known values and scan the captured output.
Mask runtime values with ::add-mask:: so GitHub redacts them, then capture and scan any log you archive so a leaked token is caught rather than stored in plaintext.
Steps
- Mask any computed secret with
::add-mask::before use. - Capture logs you plan to upload as an artifact.
- Run a scanner over the captured log and fail on a hit.
Workflow
.github/workflows/ci.yml
steps:
- id: token
run: |
TOKEN=$(./mint.sh)
echo "::add-mask::$TOKEN"
- run: ./build.sh 2>&1 | tee build.log
- name: Scan the log
run: docker run --rm -v "$PWD:/w" zricethezav/gitleaks:latest \
detect --no-git --source /w/build.logGotchas
- Masking only redacts logs going forward; a value printed before the mask leaks once, so rotate it.
- Uploaded log artifacts persist; scan before upload, not after someone downloads them.
Related guides
How to Scan Container Image Layers for Secrets in CIScan a built container image for secrets baked into its layers using Trivy, catching credentials copied in du…
How to Respond When CI Finds a Leaked SecretFollow a rotate-first incident response when a secret scan finds a real credential: revoke and reissue the ke…