Gitleaks Secrets Scanner

Gitleaks Secrets Scanner - Reusable Workflow

THIN WRAPPER: This workflow delegates to the scanner-gitleaks composite action. All scanning logic is in: .github/actions/scanner-gitleaks/action.yml

Note: The action handles checkout with fetch-depth: 0 for full git history.

For GHES users: Use the composite action directly instead of this workflow. See: examples/github-enterprise/sast-only.yml

uses: huntridge-labs/argus/.github/workflows/scanner-gitleaks.yml@0.6.7

Triggers

Input	Description	Required	Default
`post_pr_comment`	Whether to post PR comments boolean	No	`True`
`enable_code_security`	Whether GitHub Code Security is enabled for this repository boolean	No	`False`
`fail_on_severity`	Fail the job if secrets are found. Gitleaks does not support severity-based filtering - any value other than "none" w... string	No	`none`

Input	Description	Required	Default
`gitleaks_enable_comments`	Enable GitLeaks inline PR comments (requires GITLEAKS_LICENSE) boolean	No	`True`
`gitleaks_notify_user_list`	Comma-separated list of GitHub usernames to notify on secret detection (e.g., "@user1,@user2") string	No	`—`
`gitleaks_enable_summary`	Enable GitLeaks job summary boolean	No	`True`
`gitleaks_enable_upload_artifact`	Enable uploading SARIF artifact when secrets are detected boolean	No	`True`
`gitleaks_config`	Path to a gitleaks configuration file (e.g., "path/to/gitleaks.toml") string	No	`—`

Secret	Description	Required
`GITLEAKS_LICENSE`	License key for GitLeaks scans within a Github Organization. Obtain from https://gitleaks.io	No

Runs on: ubuntu-latest · Timeout: 10 minutes · Continue on error: Yes

Steps:

Run Gitleaks Scanner — huntridge-labs/argus/.github/actions/scanner-gitleaks@0.6.7

Actions used: