-
Notifications
You must be signed in to change notification settings - Fork 0
32 lines (27 loc) · 873 Bytes
/
Copy pathsecret-scan.yml
File metadata and controls
32 lines (27 loc) · 873 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
name: Secret scan
# Source-of-truth secret detection. Runs on every PR and on pushes to main.
# The local pre-commit hook (bin/install-git-hooks) is fast feedback; this
# workflow is the gate that secrets cannot bypass via `git commit --no-verify`.
on:
pull_request:
push:
branches: [main]
permissions:
contents: read
jobs:
gitleaks:
name: gitleaks
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
with:
# gitleaks needs full history to scan the diff range. fetch-depth: 0
# is the documented setup for the official action.
fetch-depth: 0
- name: Run gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Use the .gitleaks.toml at the repo root.
GITLEAKS_CONFIG: .gitleaks.toml