Skip to main content

GitHub actions

Prelude#

GitGuardian CI/CD integration with GitHub comes in the form of GitHub actions and is performed through our CLI application gg-shield. gg-shield is a wrapper around GitGuardian API for secrets detection that requires an API key to work.

gg-shield's GitHub action is hosted at gg-shield-action.

Preview#

GitHub actions output

If there are secret leaks or other security issues in your commit, your workflow will be marked as failed.

GitHub actions checks list

Be sure to add GitGuardian scan to your required status checks in your repository settings to stop pull requests with security issues from being merged.

Installation#

  1. Create an API key within the API section of your GitGuardian workspace.
  2. Add this API key to the GITGUARDIAN_API_KEY environment variable in your project settings. You can set the GITGUARDIAN_API_KEY value in the "Secrets" page of your repository's settings.
  3. Add a new job to your GitHub workflow using the GitGuardian/gg-shield-action action .github/workflows/gitguardian.
name: GitGuardian scan
on: [push, pull_request]
jobs:  scanning:    name: GitGuardian scan    runs-on: ubuntu-latest    steps:      - name: Checkout        uses: actions/checkout@v2        with:          fetch-depth: 0 # fetch all history so multiple commits can be scanned      - name: GitGuardian scan        uses: GitGuardian/gg-shield-action@master        env:          GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}          GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}          GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}          GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}

You may be interested in using GitGuardian's GitHub integration to ensure full coverage of your GitHub repositories as well as full git history scans and reporting.