Skip to content

GitHub Action: Run detect-secrets with reviewdog

License

Notifications You must be signed in to change notification settings

reviewdog/action-detect-secrets

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

63 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

GitHub Action: Run detect-secrets with reviewdog

This action runs detect-secrets with reviewdog on pull requests to improve code review experience.

detect-secrets-1

Inputs

github_token

Required. Must be in form of github_token: ${{ secrets.github_token }}'.

workdir

Optional. The directory from which to look for and run detect-secrets. Default '.'

filter_mode

Optional. Reviewdog filter mode [added, diff_context, file, nofilter] It's the same as the -filter-mode flag of reviewdog.

fail_level

Optional. If set to none, always use exit code 0 for reviewdog. Otherwise, exit code 1 for reviewdog if it finds at least 1 issue with severity greater than or equal to the given level. Possible values: [none, any, info, warning, error] Default is none.

fail_on_error

Deprecated, use fail_level instead. Whether reviewdog should fail when errors are found. [true,false] This is useful for failing CI builds in addition to adding comments when errors are found. It's the same as the -fail-on-error flag of reviewdog.

level

Optional. Report level for reviewdog [info,warning,error]. It's same as -level flag of reviewdog.

reporter

Reporter of reviewdog command [github-pr-check,github-pr-review,github-check]. Default is github-pr-check. github-pr-review can use Markdown and add a link to rule page in reviewdog reports.

reviewdog_flags

Optional. Additional reviewdog flags.

detect_secrets_flags

Optional. Flags and args of detect-secrets command. The default is --all-files --force-use-all-plugins. This can be used to exclude paths, secrets or lines to ignore false positives.

baseline_path

Optional. The path to provide to --baseline argument of detect-secrets command. If provided, the baseline file will be updated with newly discovered secrets, otherwise it will be created. The default is empty, so baseline created or overwritten.

Example usage

name: reviewdog
on: [pull_request]
jobs:
  detect-secrets:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: detect-secrets
      uses: reviewdog/action-detect-secrets@master
      with:
        reporter: github-pr-review # Change reporter.

Configuration

Preventing false positives

Since the detect-secrets CLI can report false positives, it is likely you will have to configure it by using the detect_secrets_flags input to ignore any or use inline comments. There are 4 filtering options to ignore false positives: