From e98afc31a5784583fd6675bbc029195221d25705 Mon Sep 17 00:00:00 2001 From: anmolnagpal Date: Wed, 11 Feb 2026 08:18:53 +0000 Subject: [PATCH 1/3] feat(actions): add reusable gitleaks PR scan workflow --- .github/workflows/gitleaks-pr-scan.yml | 28 ++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .github/workflows/gitleaks-pr-scan.yml diff --git a/.github/workflows/gitleaks-pr-scan.yml b/.github/workflows/gitleaks-pr-scan.yml new file mode 100644 index 00000000..4e9b5628 --- /dev/null +++ b/.github/workflows/gitleaks-pr-scan.yml @@ -0,0 +1,28 @@ +name: 🔐 Gitleaks PR Scan + +on: + workflow_call: + inputs: + checkout_ref: + description: 'Ref to checkout before scanning (optional).' + required: false + type: string + default: '' + +permissions: + contents: read + +jobs: + gitleaks: + name: 🔍 Gitleaks scan + runs-on: ubuntu-latest + steps: + - name: 📦 Checkout + uses: actions/checkout@v6 + with: + ref: ${{ inputs.checkout_ref != '' && inputs.checkout_ref || github.ref }} + + - name: 🔐 Run gitleaks on PR changes + uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From fdf0e556fb01db945ceea9c43e3a091cd2b75c60 Mon Sep 17 00:00:00 2001 From: anmolnagpal Date: Wed, 11 Feb 2026 08:22:27 +0000 Subject: [PATCH 2/3] docs(readme): add gitleaks workflow reference and usage guide --- README.md | 1 + docs/31.gitleaks-pr-scan.md | 29 +++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+) create mode 100644 docs/31.gitleaks-pr-scan.md diff --git a/README.md b/README.md index 56c58543..0d7e9d04 100644 --- a/README.md +++ b/README.md @@ -125,6 +125,7 @@ Above example is just a simple example to call workflow from github shared workf 28. [Terraform Workflow](./docs/28.terraform_workflow.md) 29. [Terraform Module Tag Release Workflow (Shared)](./docs/29.tf-monorepo-tag-release.md) 30. [Terraform PR Plan Diff workflow](./docs/30.tf-pr-checks.md) +31. [Gitleaks PR Scan Workflow](./docs/31.gitleaks-pr-scan.md) ## Feedback If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/github-shared-workflows/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). diff --git a/docs/31.gitleaks-pr-scan.md b/docs/31.gitleaks-pr-scan.md new file mode 100644 index 00000000..b4e63159 --- /dev/null +++ b/docs/31.gitleaks-pr-scan.md @@ -0,0 +1,29 @@ +## [Gitleaks PR Scan Workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/.github/workflows/gitleaks-pr-scan.yml) + +This reusable workflow runs Gitleaks to detect hardcoded secrets in pull requests. It is designed to be called from organization/module repositories via `workflow_call`. + +#### Usage +Use this workflow when you want a centralized and consistent secret-scanning gate managed from `clouddrove/github-shared-workflows`. + +### Highlights +- ✅ Reusable `workflow_call` implementation +- 🔐 Detects leaked credentials/secrets in PR code changes +- 🧩 Can be consumed by `.github` policy repos and module repos +- 🛡️ Uses `GITHUB_TOKEN` from caller context (`secrets: inherit`) + +#### Example +```yaml +name: Gitleaks PR Secret Scan + +on: + pull_request: + workflow_dispatch: + +permissions: + contents: read + +jobs: + gitleaks: + uses: clouddrove/github-shared-workflows/.github/workflows/gitleaks-pr-scan.yml@master + secrets: inherit +``` From c50cc38207b3f17057d579fa6f0d179d36e125f4 Mon Sep 17 00:00:00 2001 From: anmolnagpal Date: Wed, 11 Feb 2026 08:27:25 +0000 Subject: [PATCH 3/3] fix(ci): satisfy yamllint document markers --- .github/workflows/gitleaks-pr-scan.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/gitleaks-pr-scan.yml b/.github/workflows/gitleaks-pr-scan.yml index 4e9b5628..232ddfa2 100644 --- a/.github/workflows/gitleaks-pr-scan.yml +++ b/.github/workflows/gitleaks-pr-scan.yml @@ -1,3 +1,4 @@ +--- name: 🔐 Gitleaks PR Scan on: @@ -26,3 +27,4 @@ jobs: uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +...