Skip to content

GitHub Actions

Add this workflow to .github/workflows/redactyl.yml:

name: Secret Scanning
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for git scanning
- uses: actions/setup-go@v5
with:
go-version: '1.21'
- name: Install Redactyl
run: go install github.com/varalys/redactyl@latest
- name: Run Redactyl scan
run: redactyl scan --sarif > redactyl.sarif.json
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: redactyl.sarif.json

SARIF output integrates with GitHub Code Scanning. Findings appear:

  • In the Security tab
  • As annotations on PRs
  • In the code view

Scan images before pushing to registry:

jobs:
build-and-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build image
run: docker build -t myapp:${{ github.sha }} .
- name: Install Redactyl
run: go install github.com/varalys/redactyl@latest
- name: Scan image
run: |
docker save myapp:${{ github.sha }} > image.tar
redactyl scan image.tar --sarif > redactyl.sarif.json
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: redactyl.sarif.json

Add findings as PR comments:

- name: Run Redactyl scan
id: scan
run: |
redactyl scan --json > findings.json
echo "count=$(jq length findings.json)" >> $GITHUB_OUTPUT
- name: Comment on PR
if: steps.scan.outputs.count > 0
uses: actions/github-script@v7
with:
script: |
const findings = require('./findings.json');
const body = `## Redactyl found ${findings.length} secrets\n\n` +
findings.map(f => `- \`${f.detector}\` in ${f.file}:${f.line}`).join('\n');
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body
});

Scan main branch on a schedule:

on:
schedule:
- cron: '0 0 * * *' # Daily at midnight
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: go install github.com/varalys/redactyl@latest
- run: redactyl scan --no-tui
- name: Scan Helm charts
run: redactyl scan --helm ./charts --sarif > redactyl.sarif.json

Exclude known secrets:

- name: Run Redactyl with baseline
run: redactyl scan --baseline .redactyl-baseline.json --sarif > redactyl.sarif.json

Only fail on high severity findings:

- name: Run Redactyl scan
run: redactyl scan --severity high --no-tui

Scan multiple images:

jobs:
scan:
strategy:
matrix:
image: [api, web, worker]
steps:
- run: redactyl scan --image myorg/${{ matrix.image }}:latest