How to Scan Secrets in GitHub Actions

How to Scan Secrets in GitHub Actions


Hello tech enthusiasts! Today, we’re going to delve into a topic that’s extremely relevant in the world of Cloud and DevOps technologies – scanning for secrets in GitHub Actions. As many of you know, GitHub Actions has quickly become a go-to solution for automating software workflows. However, in the process of fast and efficient delivery, security must not be left behind. Specifically, we need to ensure we’re not inadvertently leaking sensitive information such as API keys, passwords, or secret tokens in our repositories. That’s where the concept of scanning secrets comes in!

Concepts Involved

Before we go any further, let’s briefly touch on a couple of important concepts:

GitHub Actions

GitHub Actions is an API for cause and effect on GitHub. This feature allows you to automate, customize, and execute your software development workflows right in your repository. You can write individual tasks, called “actions,” and combine them to create a custom workflow. Workflows are custom automated processes that you can set up in your repository to build, test, package, release, or deploy any project on GitHub.

Secret Scanning

Secret scanning is a feature that detects secrets or sensitive information in your code. It’s a way to protect your application from potential vulnerabilities that could be exploited by malicious users. When you commit and push to GitHub, secret scanning checks the changes for known secret formats.

Step-by-step Guide to Scan Secrets in GitHub Actions

Now that we’re familiar with the fundamental concepts, let’s move on to the main event. Here’s a step-by-step guide to scanning secrets in GitHub Actions:

Step 1: Choose a Secret Scanning Tool

There are various open-source tools available for secret scanning like GitLeaks, TruffleHog, or SecretLint. For this blog, let’s use GitLeaks as it’s fairly popular and easy to use. However, feel free to use any tool you prefer.

Step 2: Create a GitHub Actions Workflow

Create a new file in your repository under the .github/workflows directory and name it gitleaks.yml.

Step 3: Configure the Workflow

Open the gitleaks.yml file and configure it as follows:

This configuration instructs GitHub Actions to run GitLeaks on every push to any branch. The ** under branches acts as a wildcard, meaning all branches.


And there you have it – a simple yet effective way to add secret scanning to your GitHub Actions workflows. With this configuration, every time you make a push to any branch, Gitleaks will run and scan for sensitive information in your commits. This not only helps you improve the security of your codebase but also makes you a more responsible developer.

Security in the world of DevOps is not a destination, but a journey. So, keep exploring, keep learning, and remember to always safeguard your secrets!