Skip to content
Latchkey

gitleaks "no commits to scan" from a shallow clone in CI

actions/checkout does a shallow clone (fetch-depth: 1) by default, so gitleaks sees only the latest commit and scans almost no history. Secrets added in earlier commits slip through silently.

What this error means

gitleaks logs "scanned ~1 commits" or warns that the clone is shallow, and passes green even though a secret exists deeper in history. In diff mode it may log "no commits to scan".

gitleaks
9:20AM WRN detected shallow clone; scanning only the current commit
9:20AM INF scanned ~1 commits
9:20AM INF no leaks found

Common causes

Default shallow checkout hides history

With fetch-depth: 1, only the tip commit exists on the runner, so gitleaks cannot walk the history where the secret was introduced.

Diff-only scan against a base that is not fetched

A PR diff scan needs both base and head commits; a shallow clone lacks the base, so the range is empty.

How to fix it

Fetch the full history in checkout

  1. Set fetch-depth: 0 on the checkout step so the whole history is available.
  2. Run gitleaks after checkout so it can walk every commit.
  3. Confirm the log now reports the real commit count.
.github/workflows/ci.yml
- uses: actions/checkout@v4
  with:
    fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2

Fetch just the base ref for PR diff scans

If a full clone is too large, fetch the base branch explicitly so the diff range is complete.

Terminal
git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
gitleaks detect --log-opts="origin/main..HEAD"

How to prevent it

  • Use fetch-depth: 0 for any history-based secret scan.
  • Verify the scanned commit count is what you expect in the log.
  • For large repos, fetch the base ref rather than skipping history.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →