DariuszPorowski/github-action-gitleaks

GitHub: DariuszPorowski/github-action-gitleaks

将 Gitleaks 密钥扫描能力集成到 GitHub Actions 工作流中的插件，帮助团队在 CI/CD 流程中自动检测代码和 Git 历史里意外泄露的敏感信息。

Stars: 22 | Forks: 13

# GitHub Action for Gitleaks [![GitHub - marketplace](https://img.shields.io/badge/marketplace-gitleaks--scanner-blue?logo=github&style=flat-square)](https://github.com/marketplace/actions/gitleaks-scanner) [![GitHub - release](https://img.shields.io/github/v/release/DariuszPorowski/github-action-gitleaks?style=flat-square)](https://github.com/DariuszPorowski/github-action-gitleaks/releases/latest) [![GitHub - license](https://img.shields.io/github/license/DariuszPorowski/github-action-gitleaks?style=flat-square)](https://github.com/DariuszPorowski/github-action-gitleaks/blob/main/LICENSE) 此 GitHub Action 允许您在 CI/CD 工作流中运行 [Gitleaks](https://github.com/gitleaks/gitleaks)。 ## 输入 | 名称 | 必填 | 类型 | 默认值 | 描述 | |------------------|:--------:|:------:|---------------------------------|----------------------------------------------------------------------------------| | source | false | string | $GITHUB_WORKSPACE | 源路径（相对于 $GITHUB_WORKSPACE） | | config | false | string | /.gitleaks/UDMSecretChecks.toml | 配置文件路径（相对于 $GITHUB_WORKSPACE） | | baseline_path | false | string | *未设置* | 可忽略问题的基线路径（相对于 $GITHUB_WORKSPACE） | | report_format | false | string | json | 报告文件格式：json, csv, sarif | | no_git | false | bool | *未设置* | 将 git 仓库视为普通目录并扫描这些文件 | | redact | false | bool | true | 从日志消息和泄露中编辑隐藏机密信息 | | fail | false | bool | true | 如果发现机密信息则失败 | | verbose | false | bool | true | 显示扫描的详细输出 | | log_level | false | string | info | 日志级别 (trace, debug, info, warn, error, fatal) | | exit_code | false | int | 1 | 遇到泄露时的退出代码 | | log_opts | false | string | *未设置* | 遇到泄露时的退出代码 | | max_decode_depth | false | int | 0 | 允许递归解码到此深度（默认为 "0"，不进行解码） | | follow_symlinks | false | bool | false | 扫描作为指向其他文件的符号链接的文件 | ## 输出 | 名称 | 描述 | |----------|--------------------------------------------------------| | exitcode | 扫描的成功（代码：0）或失败（代码：1）值 | | result | Gitleaks 结果摘要 | | output | Gitleaks 日志输出 | | command | Gitleaks 执行的命令 | | report | 报告文件路径 | ## 用法示例 ### 带评论的 Pull Request ``` --- name: Secret Scan on: pull_request: push: branches: - main # 允许一个 concurrency concurrency: group: ${{ format('{0}-{1}-{2}-{3}-{4}', github.workflow, github.event_name, github.ref, github.base_ref, github.head_ref) }} cancel-in-progress: true jobs: gitleaks: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: Run Gitleaks id: gitleaks uses: DariuszPorowski/github-action-gitleaks@v2 with: fail: false - name: Post PR comment uses: actions/github-script@v7 if: ${{ steps.gitleaks.outputs.exitcode == 1 && github.event_name == 'pull_request' }} with: github-token: ${{ github.token }} script: | const { GITLEAKS_RESULT, GITLEAKS_OUTPUT } = process.env const output = `### ${GITLEAKS_RESULT}

Log output

${GITLEAKS_OUTPUT}

` github.rest.issues.createComment({ ...context.repo, issue_number: context.issue.number, body: output }) env: GITLEAKS_RESULT: ${{ steps.gitleaks.outputs.result }} GITLEAKS_OUTPUT: ${{ steps.gitleaks.outputs.output }} ``` ### 带 SARIF 报告 ``` - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: Run Gitleaks id: gitleaks uses: DariuszPorowski/github-action-gitleaks@v2 with: report_format: sarif fail: false # (可选) 仅用于查看来自 Action 的 outputs # 请注意，OUTPUT 必须通过 env vars 传递！ - name: Get the output from the gitleaks step run: | echo "exitcode: ${{ steps.gitleaks.outputs.exitcode }}" echo "result: ${{ steps.gitleaks.outputs.result }}" echo "command: ${{ steps.gitleaks.outputs.command }}" echo "report: ${{ steps.gitleaks.outputs.report }}" echo "output: ${GITLEAKS_OUTPUT}" env: GITLEAKS_OUTPUT: ${{ steps.gitleaks.outputs.output }} - name: Upload Gitleaks SARIF report to code scanning service if: ${{ steps.gitleaks.outputs.exitcode == 1 }} uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.gitleaks.outputs.report }} ``` ### 带 JSON 报告和自定义规则配置 ``` - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: Run Gitleaks id: gitleaks uses: DariuszPorowski/github-action-gitleaks@v2 with: config: MyGitleaksConfigs/MyGitleaksConfig.toml - name: Upload Gitleaks JSON report to artifacts uses: actions/upload-artifact@v4 if: failure() with: name: gitleaks path: ${{ steps.gitleaks.outputs.report }} ``` ## 附加规则 [Jesse Houwing](https://github.com/jessehouwing) 提供了一个包含大部分已弃用的 Microsoft CredScan 规则的 Gitleaks 配置。如果您需要扫描基于 Microsoft 技术或 Azure Cloud 的项目，建议使用它。 - [UDMSecretChecks.toml](https://github.com/jessehouwing/gitleaks-azure/blob/main/UDMSecretChecksv8.toml) ## 如何从 Git 历史记录中移除机密信息？ [GitHub](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository) 上有一篇关于使用 [BFG Repo Cleaner](https://rtyley.github.io/bfg-repo-cleaner/) 解决此问题的优秀文章。

标签：Cutter, DevSecOps, GitHub Actions, Gitleaks, SARIF, 上游代理, 云安全监控, 凭据检测, 前端框架, 安全助手, 安全扫描, 工作流, 微调策略, 提示注入防御, 时序注入, 源代码安全, 网络调试, 聊天机器人, 自动化, 自动笔记, 静态分析