Gitleaks Secrets Scanner

Gitleaks Secrets Scanner - Reusable Workflow

Runs the Gitleaks scanner via the argus Python CLI. Equivalent to: python -m argus scan gitleaks

Note: Uses fetch-depth: 0 for full git history scanning.

For GHES users: Use the composite action directly instead of this workflow. See: examples/github-enterprise/sast-only.yml

uses: huntridge-labs/argus/.github/workflows/scanner-gitleaks.yml@1.1.0

Triggers

Input	Description	Required	Default
`post_pr_comment`	Whether to post PR comments boolean	No	`True`
`enable_code_security`	Whether GitHub Code Security is enabled for this repository boolean	No	`False`
`fail_on_severity`	Fail the job if secrets are found. Gitleaks does not support severity-based filtering - any value other than "none" w... string	No	`none`

Input	Description	Required	Default
`gitleaks_enable_comments`	Enable GitLeaks inline PR comments (requires GITLEAKS_LICENSE) boolean	No	`True`
`gitleaks_notify_user_list`	Comma-separated list of GitHub usernames to notify on secret detection (e.g., "@user1,@user2") string	No	`—`
`gitleaks_enable_summary`	Enable GitLeaks job summary boolean	No	`True`
`gitleaks_enable_upload_artifact`	Enable uploading SARIF artifact when secrets are detected boolean	No	`True`
`gitleaks_config`	Path to a gitleaks configuration file (e.g., "path/to/gitleaks.toml") string	No	`—`

Secret	Description	Required
`GITLEAKS_LICENSE`	License key for GitLeaks scans within a Github Organization. Obtain from https://gitleaks.io	No

Runs on: ubuntu-latest · Timeout: 10 minutes · Continue on error: Yes

Steps:

Checkout repository — actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
Set up Python — actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
Install Argus
Run scan
Upload artifacts — actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
Upload SARIF — github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13
Comment PR with results — huntridge-labs/argus/.github/actions/comment-pr@1.1.0