Release Notes for v1.0.0 - Initial Release
✨ What's New
-
GitHub Secrets Scanner Action:
A GitHub Action that scans your repository's commit history for sensitive information like API keys, tokens, and passwords. -
Customizable Regex Patterns:
Users can configure custom regex patterns to match sensitive information in their codebase. -
Branch and Repository Scanning:
Specify the repository and branch you want to scan, making it flexible for different workflows. -
GitHub Token Authentication:
Supports secure authentication via GitHub token for accessing the repository. -
Triggered on Push & PR Events:
Scans are triggered automatically onpushandpull_requestevents, ensuring continuous secret detection.
⚙️ How It Works
-
Add the Action:
Add the action to your GitHub workflow YAML file. -
Configure the Inputs:
Set the necessary inputs:repo: Your GitHub repository (e.g.,owner/repo)token: Your GitHub authentication tokenbranch: The branch to scan (default ismain)patterns: Custom comma-separated list of regex patterns for detecting secrets (e.g.,API_KEY,SECRET_KEY)
-
Run the Workflow:
The action will scan your commits for secrets based on the specified patterns.
📝 Known Issues
- The action scans all files by default, including
README.md. You can customize thepatternsinput or adjust the code to exclude specific files if needed. - The regex patterns for secret scanning are basic. More complex patterns may require further configuration.
🚀 How to Use
name: Test GitHub Secrets Scanner Action
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
run-action:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
fetch-depth: 0 # Ensure full commit history is fetched for proper diff comparison
- name: Install dependencies
run: npm install
- name: Run Secrets Scanner
uses: Yash-srivastav16/github-secrets-scanner-action@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
repo: 'Yash-srivastav16/github-secrets-scanner-action'
branch: 'main'
patterns: 'API_KEY,SECRET_KEY,TOKEN'