Skip to content

v2.0.0

Marketplace
Marketplace
Compare
Choose a tag to compare
@zricethezav zricethezav released this 02 Jun 22:04
v2.0.0
07d6e4e

What's Changed

Gitleaks-Action Version 2 brings a range of new features including:

1. On demand scans

You can now use workflow_dispatch events to trigger on demand gitleaks scans.

Screen Shot 2022-05-30 at 8 30 31 PM

2. Gitleaks report artifact uploads

Not much more to say here. Download reports when leaks are present. Pretty useful feature.

Screen Shot 2022-05-30 at 9 20 36 PM

3. Powered by the latest version of Gitleaks

The latest version of gitleaks (v8.8.6 at the time of writing) has better performance, more configuration options, and is more accurate than the previous major version.

4. Job summaries

Easy to understand report of a Gitleaks job. If no leaks are detected you'll see:

Screen Shot 2022-05-30 at 9 26 10 PM

If leaks are detected you'll see something like:

Screen Shot 2022-05-30 at 8 41 07 PM

5. Faster job times

Gitleaks-Action Version 2 does not rely on Docker build anymore.

6. Pull Request Comments

If a leak is encountered during a pull request, gitleaks-action will comment on the line number and commit containing the secret.

Screen Shot 2022-05-31 at 9 31 06 PM

What's fixed

  • Older versions of the gitleaks-action relied on using git log to determine the range of commits. Version 2 of gitleaks-action ensures that only relevent commits are scanned by leveraging Action context and GitHub's API.

Getting started with Version 2

Getting a License-Key (ONLY FOR ORGANIZATION REPOS, USER ACCOUNTS DO NOT NEED A LICENSE KEY)

Before enabling Gitleaks-Action Version 2, you will need to obtain a gitleaks-action license key from gitleaks.io if you are using gitleaks within the context of an organization. If you are using gitleaks-aciton on a user account's repo, you do not need a license key. You can sign up for a free license key that will grant you access to use gitleaks-action on one repo. The free tier sign up link will take you to a google forms page where you can fill out your information. After filling out your information, you should receive an email similar to the one below.

Screen Shot 2022-06-02 at 2 38 27 PM

NOTE: be patient with the free tier, the google forms API can be slow.

NOTE: 1 free license per account.

If you would like access to more repos for your organization or personal account, you can subscribe to one of the paid tiers which will grant you access to use Gitleaks-Action Version 2 on 10, 100, or 1000 repos.

Setting the GITLEAKS_LICENSE secret

After getting a license key, head over to your github organization's or repo's settings and set GITLEAKS_LICENSE as a secret. Great! You can now run gitleaks-action v2:

name: gitleaks
on: [pull_request, push, workflow_dispatch]
jobs:
  scan:
    name: gitleaks
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - uses: zricethezav/[email protected]
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}
Assets 2
Loading