30 lines
840 B
YAML
30 lines
840 B
YAML
# Scan the repository for committed secrets with gitleaks on every push and
|
|
# pull request. The job fails (and can be made a required check) if a secret
|
|
# is detected, so credentials never land in history.
|
|
|
|
name: gitleaks
|
|
|
|
on:
|
|
push:
|
|
pull_request:
|
|
|
|
jobs:
|
|
scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
# Full history — gitleaks needs depth to scan a commit range.
|
|
fetch-depth: 0
|
|
|
|
- name: install gitleaks
|
|
run: |
|
|
curl -sSL -o gl.tar.gz \
|
|
https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz
|
|
tar xzf gl.tar.gz gitleaks
|
|
chmod +x gitleaks
|
|
./gitleaks version
|
|
|
|
- name: scan
|
|
run: |
|
|
./gitleaks detect --source . --no-banner --redact --verbose
|