Skip to content

cloudon-one/git-security-scanner-public

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Repository files navigation

Git Security Scanner - GitHub Action

GitHub Marketplace Release License: MIT Docker

Comprehensive security scanning for GitHub repositories - Detect secrets, vulnerabilities, and misconfigurations in your CI/CD pipeline.

Features

  • Secret Detection - Find API keys, passwords, and tokens using Gitleaks
  • Vulnerability Scanning - Identify CVEs and security issues with Trivy
  • OSV Scanning - Detect known vulnerabilities in open-source dependencies
  • Misconfiguration Detection - Catch IaC and Kubernetes security problems
  • Multiple Report Formats - JSON, HTML, and SARIF for GitHub Security tab
  • PR Integration - Automatic security comments on pull requests
  • Quality Gates - Fail builds on critical security issues
  • Multi-Architecture - Supports both AMD64 and ARM64 runners

Quick Start

Add to your workflow (.github/workflows/security.yml):

name: Security Scan
on: [push, pull_request]

permissions:
  contents: read
  security-events: write
  pull-requests: write
  packages: read

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Run Security Scan
        uses: cloudon-one/git-security-scanner-public@2.3
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          fail_on_critical: true
          scan_type: all
          create_pr_comment: true

      - name: Upload scan artifacts
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: security-scan-results-${{ github.run_number }}
          path: /tmp/security-scan-results/
          retention-days: 30

Configuration

Inputs

Input Required Default Description
github_token No ${{ github.token }} GitHub token for API access
fail_on_critical No true Fail build if critical issues found
scan_type No all Scan type: all, gitleaks, or trivy
repository_path No . Path to repository to scan
upload_sarif No true Upload SARIF to GitHub Security tab
create_pr_comment No true Create PR comments with results
scanner_version No main Docker image tag to use

Outputs

Output Description
risk_level Overall risk: CRITICAL, HIGH, MEDIUM, LOW, INFO
critical_count Number of critical issues
high_count Number of high severity issues
medium_count Number of medium severity issues
low_count Number of low severity issues
secrets_found Number of secrets detected
vulnerabilities_found Number of vulnerabilities found
misconfigurations_found Number of misconfigurations detected
report_url Link to detailed security report

Usage Examples

Basic Security Check

- uses: cloudon-one/git-security-scanner-public@2.3
  with:
    fail_on_critical: true
    create_pr_comment: true

Advanced Configuration with Result Processing

- uses: cloudon-one/git-security-scanner-public@2.3
  id: security
  with:
    scan_type: all
    fail_on_critical: false
    repository_path: ./src

- name: Process Results
  if: always()
  run: |
    echo "Risk Level: ${{ steps.security.outputs.risk_level }}"
    echo "Secrets: ${{ steps.security.outputs.secrets_found }}"
    echo "Vulnerabilities: ${{ steps.security.outputs.vulnerabilities_found }}"
    echo "Misconfigurations: ${{ steps.security.outputs.misconfigurations_found }}"

Scheduled Weekly Security Audit

name: Weekly Security Audit
on:
  schedule:
    - cron: '0 2 * * 1'  # Mondays at 2 AM
  workflow_dispatch:

permissions:
  contents: read
  security-events: write
  packages: read

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: cloudon-one/git-security-scanner-public@2.3
        with:
          fail_on_critical: false

Gitleaks-Only Scan (Secrets Detection)

- uses: cloudon-one/git-security-scanner-public@2.3
  with:
    scan_type: gitleaks
    fail_on_critical: true

Trivy-Only Scan (Vulnerabilities and Misconfigurations)

- uses: cloudon-one/git-security-scanner-public@2.3
  with:
    scan_type: trivy
    fail_on_critical: false

Building from Source

Prerequisites

  • Docker with BuildKit support
  • GitHub Token (for GHCR access)

Build Docker Image

docker build --platform linux/amd64 -t git-security-scanner .

Run Local Scan

# Scan current directory
docker run --rm \
  -v $(pwd):/scan_target:ro \
  -v $(pwd)/reports:/reports \
  git-security-scanner all

# Scan with specific scan type
docker run --rm \
  -v $(pwd):/scan_target:ro \
  -v $(pwd)/reports:/reports \
  git-security-scanner gitleaks

Architecture

git-security-scanner-public/
├── action.yml              # GitHub Action composite definition
├── Dockerfile              # Multi-stage container build (Alpine 3.23)
├── git-audit-script.py     # Main Python orchestration script
├── run_scans.sh            # Shell entrypoint wrapper
├── gitleaks.toml           # Secret detection rules configuration
├── Makefile                # Build automation
└── .github/workflows/
    ├── build-scanner-image.yml      # Docker image CI/CD
    └── repository-security-scan.yml # Self-scan workflow

Security Tools (2.3)

Tool Version Purpose
Gitleaks v8.30.1 Secret detection in git history and code
Trivy v0.69.3 Vulnerability and misconfiguration scanning
OSV-Scanner v2.2.1 Open-source dependency vulnerability detection
Helm v3.20.1 Kubernetes manifest template rendering

Base Image: Alpine Linux 3.23 with Python 3.12

Changelog

2.3 (2026-04-08)

  • Updated Gitleaks v8.28.0 → v8.30.1
  • Updated Trivy v0.65.0 → v0.69.3
  • Added OSV-Scanner v2.2.1 for dependency vulnerability detection
  • Updated Helm v3.18.6 → v3.20.1
  • Updated Alpine Linux 3.19 → 3.23
  • Added SHA256 checksum verification for all security tool downloads (AMD64 + ARM64)
  • Fixed JSON report metric extraction paths
  • Removed debug print statements from production code
  • Improved Docker image pull reliability for cross-repo GHCR access
  • Multi-architecture support (AMD64 and ARM64)

v2 (2025-11-22)

  • Added multi-architecture Docker builds
  • Added Makefile and Dockerfile checksum verification
  • Added unit tests
  • Refactored main Python script

v1.1.1 (2025-08-27)

  • Initial public release with Gitleaks and Trivy integration

Contributing

See CONTRIBUTING.md for development guidelines.

Support

License

MIT License - see LICENSE file.

Made by CloudOn One

About

Git secrets, vulnurabilities scanner with rich reporting

cloudon-one.com/secureops.html

Topics

ci-cd security-scanner devsecops code-scanning vulnerability-scanner secutiry gitleaks trivy secret-detection

Resources

Readme

License

MIT license

Contributing

Contributing
Activity
Custom properties

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 3

Fix public image pull for marketplace usage Latest
Apr 8, 2026
+ 2 releases

Sponsor this project

Packages

 
 
 

Contributors

Languages