Skip to content
Latchkey

How to Scan CI Build Logs for Leaked Secrets

A command that echoes a variable can print a secret into the job log; mask known values and scan the captured output.

Mask runtime values with ::add-mask:: so GitHub redacts them, then capture and scan any log you archive so a leaked token is caught rather than stored in plaintext.

Steps

  • Mask any computed secret with ::add-mask:: before use.
  • Capture logs you plan to upload as an artifact.
  • Run a scanner over the captured log and fail on a hit.

Workflow

.github/workflows/ci.yml
steps:
  - id: token
    run: |
      TOKEN=$(./mint.sh)
      echo "::add-mask::$TOKEN"
  - run: ./build.sh 2>&1 | tee build.log
  - name: Scan the log
    run: docker run --rm -v "$PWD:/w" zricethezav/gitleaks:latest \
        detect --no-git --source /w/build.log

Gotchas

  • Masking only redacts logs going forward; a value printed before the mask leaks once, so rotate it.
  • Uploaded log artifacts persist; scan before upload, not after someone downloads them.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →