gitleaks "no commits to scan" from a shallow clone in CI
actions/checkout does a shallow clone (fetch-depth: 1) by default, so gitleaks sees only the latest commit and scans almost no history. Secrets added in earlier commits slip through silently.
What this error means
gitleaks logs "scanned ~1 commits" or warns that the clone is shallow, and passes green even though a secret exists deeper in history. In diff mode it may log "no commits to scan".
9:20AM WRN detected shallow clone; scanning only the current commit
9:20AM INF scanned ~1 commits
9:20AM INF no leaks foundCommon causes
Default shallow checkout hides history
With fetch-depth: 1, only the tip commit exists on the runner, so gitleaks cannot walk the history where the secret was introduced.
Diff-only scan against a base that is not fetched
A PR diff scan needs both base and head commits; a shallow clone lacks the base, so the range is empty.
How to fix it
Fetch the full history in checkout
- Set
fetch-depth: 0on the checkout step so the whole history is available. - Run gitleaks after checkout so it can walk every commit.
- Confirm the log now reports the real commit count.
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2Fetch just the base ref for PR diff scans
If a full clone is too large, fetch the base branch explicitly so the diff range is complete.
git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
gitleaks detect --log-opts="origin/main..HEAD"How to prevent it
- Use
fetch-depth: 0for any history-based secret scan. - Verify the scanned commit count is what you expect in the log.
- For large repos, fetch the base ref rather than skipping history.