Gitleaks Action

  ┌─○───┐
  │ │╲  │
  │ │ ○ │
  │ ○ ┌─┴───────────────────┐
  └─░─┤  4 github actions   │
      └─────────────────────┘

Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code. Enable Gitleaks-Action in your GitHub workflows to be alerted when secrets are leaked as soon as they happen.

Announcements

📢 Release of Gitleaks-Action v2

6/13/2022

Show/hide details On June 2, 2022, we released Gitleaks Action v2. There are a boatload of improvements in v2, but it also represents a breaking change from the prior version (v1.6.0). We haven't merged v2 to the master branch yet because we noticed that many users of Gitleaks Action don't pin their version. If you are using zricethezav/gitleaks-action@master (or now gitleaks/gitleaks-action@master), then as soon as we merge v2 to master, your jobs will start failing. We are planning to complete the merge on June 20, 2022. We recommend updating your .yml files to use v2 now so you aren't scrambling to do it after your gitleaks-action jobs start failing. As an alternative, you can pin your version to v1.6.0 for now, if you aren't ready to upgrade at the moment. How to upgrade to v2 For full details, see the rest of the v2 README below. Here is the quick list of changes to your .yml: Change the "uses" line to - uses: gitleaks/gitleaks-action@v2 Add an env: section with GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} If you are scanning repos that belong to an organization, you'll also have to acquire a GITLEAKS_LICENSE, add the license to your GitHub Secrets, and add this line to the env: section: GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} How to pin to v1.6.0 Change your "uses" line to gitleaks/[email protected] Set a reminder to upgrade to v2 later.

v2 Benefits

If you are using Gitleaks-Action v2 to scan repos owned by an Organization, you will find that you need to acquire a GITEAKS_LICENSE in order for the action to run. A "Starter" license to scan 1 repo is free, but scanning more than 1 repo belonging to the same organization requires a paid license. This raises the obvious question:

Is v2 really worth paying for?

It's a fair question. We think that the new features and improvements in v2 deliver exceptional value for the price. We put together a list of some of the top reasons we think v2 is worth paying for.

1. On demand scans

You can now use workflow_dispatch events to trigger on demand gitleaks scans.

2. Gitleaks report artifact uploads

Not much more to say here. Download reports when leaks are present. Pretty useful feature.

3. Powered by the latest version of Gitleaks

The latest version of gitleaks (v8.8.6 at the time of writing) has better performance, more configuration options, and is more accurate than the previous major version.

4. Job summaries

Easy to understand report of a Gitleaks job. If no leaks are detected you'll see:

If leaks are detected you'll see something like:

5. Faster job times

Gitleaks-Action Version 2 does not rely on Docker build anymore.

6. Pull Request Comments

If a leak is encountered during a pull request, gitleaks-action will comment on the line number and commit containing the secret.

7. Ensure Project Longevity

Gitleaks is used by thousands (millions?) of developers around the world. It is used by individuals, governments, and corporations to prevent and detect leaked secrets. Until now, everything associated with gitleaks has been Free and Open Source under the MIT License, maintained primarily as a side project by 1 person. Let's be honest, that wasn't a sustainable model (and it was starting to feel like an xkcd comic).

By buying a GITLEAKS_LICENSE to use v2, you are supporting the gitleaks project as a whole and helping to ensure the longevity of the project.

Usage Example

name: gitleaks
on:
  pull_request:
  push:
  workflow_dispatch:
  schedule:
    - cron: "0 4 * * *" # run once a day at 4 AM
jobs:
  scan:
    name: gitleaks
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} # Only required for Organizations, not personal accounts.

---

Environment Variables:

• GITHUB_TOKEN: This variable is automatically assigned by GitHub when any action gets kicked off. You can read more about the token here. gitleaks-action uses this token to call a GitHub API to comment on PRs.
• GITLEAKS_LICENSE (required for organizations, not required for user accounts): A gitleaks-action license can be obtained at gitleaks.io. It should be added as an encrypted secret to the repo or to the organization.
• GITLEAKS_NOTIFY_USER_LIST (optional): A list of GitHub accounts that should be alerted when gitleaks-action detects a leak. An email will be sent by GitHub to the user if their GitHub notification settings permit it. The format should be comma-separated with each username prefixed with @. Ex: @octocat,@zricethezav,@gitleaks. Spaces are okay too.
• GITLEAKS_ENABLE_COMMENTS (optional): Boolean value that turns on or off PR commenting. Default value is true. Set to false to disable comments.
• GITLEAKS_CONFIG (optional): Path to a gitleaks configuration file.
• GITLEAKS_ENABLE_UPLOAD_ARTIFACT (optional): Boolean value that turns on or off uploading a sarif artifact when gitleaks detects secrets. Defaults to true.
• GITLEAKS_ENABLE_SUMMARY (optional): Boolean value to enable or disable gitleaks job summary. Defaults to true.

---

Questions

Do I need a license key?

If you are scanning repos that belong to an organization account, you will need to obtain a license key. You can obtain a free "Starter" license key for scanning 1 repo. Scanning more than 1 repo belonging to the same organization requires a paid license.

If you are scanning repos that belong to a personal account, then no license key is required.

How do I get a license key?

You can visit gitleaks.io to sign up for a free license key limited to 1 repo, or choose from a paid tier to enable scanning of additional repos.

Can I use a custom gitleaks configuration?

You can! This GitHub Action follows a similar order of precedence as the gitleaks CLI tool. You can use GITLEAKS_CONFIG to explicitly set a config path or create a gitleaks.toml at the root of the repo which will be automatically detected and used by gitleaks-action.

Does this GitHub Action send any data to 3rd parties?

The only data that gitleaks-action sends to any third party is data related to license key validation (namely GITLEAKS_LICENSE, repo name, and repo owner), which is sent to the license key validation service, keygen. Your code never leaves GitHub because the scanning takes place within the GitHub Actions docker container.

Can I use gitleaks-action as a third-party tool for GitHub code scanning?

You can but it is not recommended because it gives a false sense of security. If a secret is leaked in one commit, then removed in a subsequent commit, the security alert in the GitHub Security dashboard will show as resolved, even though the secret is still visible in the commit history. To truly address the leak, you should rotate the secret (and also consider re-writing the git history to remove the leak altogether).

Why is my gitleaks-action job suddenly failing?

6/21/2022

On June 21, 2022, we merged Gitleaks Action v2 into the master branch. This was a breaking update, and we made an effort to contact as many of our users as possible via GitHub, social media, etc. If you didn't know this breaking update was coming, we sincerely apologize for the inconvenience. The good news is, remedying the job failure is straightforward! You can either:

1. Upgrade to v2, or
2. Pin to an older version

Please note that if you are scanning repos that belong to an organization, you'll have to acquire a GITLEAKS_LICENSE to use v2 (free "Starter" license available). That might come as a surprise to my users that are accustomed to using Gitleaks-Action free of charge, so I wrote a blog post explaining how/why I decided to monetize this project: https://blog.gitleaks.io/gitleaks-llc-announcement-d7d06a52e801

Finally, please see above for a summary of why I think you'll love the new v2 release: v2 Benefits

How can I get a gitleaks badge on my readme?

Enable this gitleaks-action and copy <img alt="gitleaks badge" src="https://img.shields.io/badge/protected%20by-gitleaks-blue"> to your readme.

I really need a secret scanner, but I have no money to buy a license. What can I do?

If you are scanning repos that belong to a personal account, then no license key is required. You can use it for free!

If your organization needs a secret scanner, you still have a few options:

• First, we do recommend writing up a brief justification for the powers-that-be at your organization, asking them to allocate budget for secret scanning. If you need help writing something up, contact us via our website: https://gitleaks.io/index.html
• You can encourage your developers to run the gitleaks core tool as a pre-commit hook (https://github.com/zricethezav/gitleaks#pre-commit). In fact, we encourage everyone to do this anyway, even if they are also running Gitleaks-Action v2.
• You can always pin your Gitleaks-Action yml to the last free version of Gitleaks-Action (v1.6.0). See here: How to pin to v1.6.0
  Caveat: There are some known issues with that version, and it's no longer receiving updates. But it's better than nothing.

License Change

Since v2.0.0 of Gitleaks-Action, the license has changed from MIT to a commercial license. Prior versions to v2.0.0 of Gitleaks-Actions will remain under the MIT license.

Copyright © 2022 Gitleaks LLC - All Rights Reserved