• Git-leaks is a SAST tool for detecting and preventing hardcoded secrets like Passwords, API keys and tokens in GitHub Repository.
• Git-leaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code.
• Git-leaks would be configured as part of GitHub actions workflow for all the repositories we want to monitor for any sensitive secret patterns.

Example of Git-Leaks basic workflow:

The above GitHub Actions workflow does couple of things:

• It only runs when the repository event is a push (direct commit) or a pull request against main branch. This is defined in the ‘on’ section of workflow file.
• The job runs against the latest Ubuntu environment.
• The steps defined in the job checks out the repository and install the Git-leaks.
• Git-leaks will scan and if leaks are present, it will detect in the Action logs and same time it will generate the artifact also.
• If required, we can download those reports to identify the leaks in our Repository.
• By using some public actions, you can also generate the report on the Pull-request.
• This is Pretty useful feature, for easily identifying the secrets or leaks while merging to the main/master branch.

Results:

Git-leaks Actions log Report:

• From the GitHub Actions live logs, you can see something like this if no leaks are detected

Git-leaks report artifact:

Download reports when leaks are present from GitHub Actions.

Pull Request Comments:

• Easy to understand report of a Git-leaks job. If no leaks are detected during pull-request, you'll see:

• If leaks are encountered during a pull request, you’ll see something like this.

How to remove the valid detected secrets:

• By using the generate artifact report or pull-request comments we can identify, where the secrets are leaking and simply, we can do modifications in that to remove the detected secrets.
• By using BFG repo cleaner also you can remove the secrets.

Benefits of using Git-Leaks with GitHub Actions:

• Pretty useful feature, to identify the leaks like Passwords, API keys, and tokens in GitHub repos.
• With GitHub Actions you can also generate the report on the Pull-request and live logs.
• By using Reusable workflows, easily you can trigger in all the workflows and get the results